On Thu, Jul 26, 2012 at 12:56 PM, William Lindfors <[email protected]> wrote: > How do I get all the agents back online? I stopped and started the service, > but they all remain red and I am getting the following message: >
Red? What are you seeing red in? > > 2012 Jul 26 12:42:25 Rule Id: 5701 level: 8 > Location: profim01->/var/log/secure > Src IP: UNKNOWN > Possible attack on the ssh server (or version gathering). > > This looks unrelated. There should be a log message that goes with that. Check the ossec.log on the manager and the agents to see if there are any log messages about why they are disconnected. Double check with `/var/ossec/bin/list_agents -c` that they are disconnected. Have all of your agents been connected at some point? > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, July 26, 2012 9:02 AM > To: [email protected] > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? > All agents inactive, what gives? > > On Thu, Jul 26, 2012 at 12:55 AM, William Lindfors <[email protected]> > wrote: >> >> >> >> >> Latest events >> >> >> >> 2012 Jul 26 00:47:01 Rule Id: 5701 level: 8 >> Location: profim01->/var/log/secure >> Src IP: UNKNOWN >> Possible attack on the ssh server (or version gathering). > > What's the question exactly?
