I think the rids files are named after the agent id number. So if you move the one named after the misbehaving agent's id # out of the way (you don't have to move it to the agent or anything) and start the ossec processes it "should" work.
On Wed, Apr 11, 2012 at 9:54 AM, jack.23783 <[email protected]> wrote: > You got me. > So what should I do to get the appropriate rids file? > It still didn't work after I copied manager's rids to agent, vice versa. > Thanks. > > On Wed, Apr 11, 2012 at 8:51 PM, dan (ddp) <[email protected]> wrote: >> >> So the agent was running fine, then you reverted to a previous >> snapshot and it stopped working? >> Your rids are messed up. You got the agent and manager out of sync. >> Stop the OSSEC processes on the manager and the agent, move the >> appropriate rids file in /var/ossec/queue/rids, then start the >> processes again. >> Or remove the agent and issue a new key. >> >> On Wed, Apr 11, 2012 at 3:59 AM, <[email protected]> wrote: >> > Hi, >> > I have ossec server on ubuntu, and an agent on windows xp. windows xp >> > is a virtual machine. >> > At beginning, everything is OK. But when I chang virtual machine to >> > older snapshot (its agent works fine when I took this snapshot), the >> > agent can not connect to server only more. It's log is as follow: >> > >> > 2012/04/11 15:17:59 ossec-agent: INFO: Started (pid: 6404). >> > 2012/04/11 15:18:09 ossec-agent: WARN: Process locked. Waiting for >> > permission... >> > 2012/04/11 15:18:20 ossec-agent(4101): WARN: Waiting for server reply >> > (not started). Tried: '202.197.1.100'. >> > 2012/04/11 15:18:22 ossec-agent: INFO: Trying to connect to server >> > (202.197.1.100:1514). >> > 2012/04/11 15:18:22 ossec-agent: INFO: Using IPv4 for: 202.197.1.100 . >> > 2012/04/11 15:18:43 ossec-agent(4101): WARN: Waiting for server reply >> > (not started). Tried: '202.197.1.100'. >> > >> > What's the problem with it? >> > Gratitude! > >
