Did you verify that all ossec services stopped before restarting? I had this issue previously, and one of the services was hanging and not allowing the restart to function.
run: ps -eaf | grep ossec On Jul 26, 2012, at 11:12 AM, William Lindfors wrote: > Here is a screen capture of what I'm talking about. Thx. > > <image001.png> > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, July 26, 2012 1:08 PM > To: [email protected] > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? > All agents inactive, what gives? > > On Thu, Jul 26, 2012 at 12:56 PM, William Lindfors <[email protected]> > wrote: > > How do I get all the agents back online? I stopped and started the > > service, but they all remain red and I am getting the following message: > > > > Red? What are you seeing red in? > > > > > 2012 Jul 26 12:42:25 Rule Id: 5701 level: 8 > > Location: profim01->/var/log/secure > > Src IP: UNKNOWN > > Possible attack on the ssh server (or version gathering). > > > > > > This looks unrelated. There should be a log message that goes with that. > > Check the ossec.log on the manager and the agents to see if there are any log > messages about why they are disconnected. Double check with > `/var/ossec/bin/list_agents -c` that they are disconnected. Have all of your > agents been connected at some point? > > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > On Behalf Of dan (ddp) > > Sent: Thursday, July 26, 2012 9:02 AM > > To: [email protected] > > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? > > All agents inactive, what gives? > > > > On Thu, Jul 26, 2012 at 12:55 AM, William Lindfors <[email protected]> > > wrote: > >> > >> > >> > >> > >> Latest events > >> > >> > >> > >> 2012 Jul 26 00:47:01 Rule Id: 5701 level: 8 > >> Location: profim01->/var/log/secure > >> Src IP: UNKNOWN > >> Possible attack on the ssh server (or version gathering). > > > > What's the question exactly?
