it looks like you are missing /var/ossec/bin/ossec-remoted which makes sense from the error you have.
you should try debug mode on the manager, /var/ossec/bin/ossec-control enable debug /var/ossec/bin/ossec-control restart and watch the results. On Jul 26, 2012, at 2:55 PM, William Lindfors wrote: > The list below is what I got when I ran the command. I even rebooted the > ossec server and the list stated the same. I don’t know what services need > to be running. Does the list below look ok? > > > ossecm 24686 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-csyslogd > ossecm 24690 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-maild > root 24694 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-execd > ossec 24698 1 0 00:42 ? 00:00:05 /var/ossec/bin/ossec-analysisd > root 24702 1 0 00:42 ? 00:00:00 > /var/ossec/bin/ossec-logcollector > root 24714 1 0 00:42 ? 00:00:18 /var/ossec/bin/ossec-syscheckd > ossec 24718 1 0 00:42 ? 00:00:00 /var/ossec/bin/ossec-monitord > root 29455 29425 0 17:49 pts/1 00:00:00 grep ossec > > > From: [email protected] [mailto:[email protected]] On > Behalf Of Scott Klauminzer > Sent: Thursday, July 26, 2012 2:26 PM > To: [email protected] > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? > All agents inactive, what gives? > > Did you verify that all ossec services stopped before restarting? > > I had this issue previously, and one of the services was hanging and not > allowing the restart to function. > > run: ps -eaf | grep ossec > > > On Jul 26, 2012, at 11:12 AM, William Lindfors wrote: > > > Here is a screen capture of what I'm talking about. Thx. > > <image001.png> > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Thursday, July 26, 2012 1:08 PM > To: [email protected] > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? > All agents inactive, what gives? > > On Thu, Jul 26, 2012 at 12:56 PM, William Lindfors <[email protected]> > wrote: > > How do I get all the agents back online? I stopped and started the > > service, but they all remain red and I am getting the following message: > > > > Red? What are you seeing red in? > > > > > 2012 Jul 26 12:42:25 Rule Id: 5701 level: 8 > > Location: profim01->/var/log/secure > > Src IP: UNKNOWN > > Possible attack on the ssh server (or version gathering). > > > > > > This looks unrelated. There should be a log message that goes with that. > > Check the ossec.log on the manager and the agents to see if there are any log > messages about why they are disconnected. Double check with > `/var/ossec/bin/list_agents -c` that they are disconnected. Have all of your > agents been connected at some point? > > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > On Behalf Of dan (ddp) > > Sent: Thursday, July 26, 2012 9:02 AM > > To: [email protected] > > Subject: Re: [ossec-list] Rule ID 5701? Possible attack on the SSH server? > > All agents inactive, what gives? > > > > On Thu, Jul 26, 2012 at 12:55 AM, William Lindfors <[email protected]> > > wrote: > >> > >> > >> > >> > >> Latest events > >> > >> > >> > >> 2012 Jul 26 00:47:01 Rule Id: 5701 level: 8 > >> Location: profim01->/var/log/secure > >> Src IP: UNKNOWN > >> Possible attack on the ssh server (or version gathering). > > > > What's the question exactly?
