I'm setting up a centralized ossec configuration, playing around. For now I have a master with three agents. All of them are 2.6, downloaded straight from ossec site.
Every once in a while (that is, while screwing around) I see that message ossec-remoted(1310): WARN: Invalid active response (execd) message and there's no more alerts from the agents in alert.log. Searched the archives and all I've found was about an old bug that was fixed and using different versions of master/agents. I've seen it when using agents installed with yum via repo, thought it's because of different versions, removed all agents and installed from tgz, things went well for a while but now I've seen it again. It happened when I restarted the master without stopping the agents, I stopped everything, then started the master, then started the agents, everything went back to normal. Tried several times restarting the master again, all was good, I can't reliably reproduce it. So is anything known about this? When does it happen and how can I avoid it?
