What version of OSSEC (on server and agent)? Has the agent ever successfully communicated with the server?
Run tcpdump on the server. Can you see the udp packets arriving on port 1514? Do you see response packets back to the agent? Are the packets from the agent coming in from the correct IP (the correct IP is the IP you entered into manage_agents on the server when adding the agent)? Recopy the key from the server to the agent and restart the agent's ossec service. Anything in the server or agent's ossec.log? Try running the ossec processes in debug mode. Does anything show up in the logs now? On Wed, May 23, 2012 at 5:26 AM, hoa nguyen <[email protected]> wrote: > I'd tried. > But this problem isn't OK yet. > > Ubuntu and XP virtual machine, two node communicate via NIC eth0 > Please help me a solution > Thanks > > Hoa > > On May 23, 3:16 pm, mikes <[email protected]> wrote: >> Try it: >> >> /etc/init.d/ossec stop >> rm /var/ossec/queue/rids/* >> /etc/init.d/ossec start >> >> And check key for agent. Try remove agent from server and generate new key, >> remember delete rids/* after >> >> W dniu środa, 11 kwietnia 2012 09:59:41 UTC+2 użytkownik [email protected] >> napisał: >> >> >> >> > Hi, >> > I have ossec server on ubuntu, and an agent on windows xp. windows xp >> > is a virtual machine. >> > At beginning, everything is OK. But when I chang virtual machine to >> > older snapshot (its agent works fine when I took this snapshot), the >> > agent can not connect to server only more. It's log is as follow: >> >> > 2012/04/11 15:17:59 ossec-agent: INFO: Started (pid: 6404). >> > 2012/04/11 15:18:09 ossec-agent: WARN: Process locked. Waiting for >> > permission... >> > 2012/04/11 15:18:20 ossec-agent(4101): WARN: Waiting for server reply >> > (not started). Tried: '202.197.1.100'. >> > 2012/04/11 15:18:22 ossec-agent: INFO: Trying to connect to server >> > (202.197.1.100:1514). >> > 2012/04/11 15:18:22 ossec-agent: INFO: Using IPv4 for: 202.197.1.100 . >> > 2012/04/11 15:18:43 ossec-agent(4101): WARN: Waiting for server reply >> > (not started). Tried: '202.197.1.100'. >> >> > What's the problem with it? >> > Gratitude!
