Ok, now i'm seeing another error, which still leads me to believe theires a key problem on the systems.
Checksum mismatch on message from <agent ip> I googled that, and found some people had some success by comparing the contents of client.keys on the manager and the agent. I did that, they are identical. I really dont know what's wrong here, this should be working.Everything ive checked appears to check out. On Wednesday, August 8, 2012 9:58:30 PM UTC-4, Nate wrote: > > The IP is correct > > no nat, The agent is a VM running on a KVM host, getting its network from > a Bridge interface. Just like the other 3 vm's which are working > perfectly. > > IP is unique > > key was copied/pasted from the master. > > On Wednesday, August 8, 2012 3:00:48 PM UTC-4, dan (ddpbsd) wrote: >> >> On Wed, Aug 8, 2012 at 2:53 PM, Nate <[email protected]> wrote: >> > I've found a number of references to this error message, none of them >> seem >> > to be helping me though. >> > >> > I've recently setup an ossec manager, with four agents. Ossec 2.6, >> Fedora 15 >> > on the manager, and the four agents are all CentOS 6. >> > >> > I added all of the agents by generating keys, restarting ossec on the >> > manager, and then importing the keys on each agent individually. >> > >> > On one of the agents, I messed up its IP address on the manager when i >> > generated its key. So i deleted that key, and generated a new one, >> with a >> > new id, and imported that key on the agent. It joined the master, and >> all >> > appeared well. >> > >> > That agent keeps generating the following error in my ossec.log on the >> > master however. >> > >> > 2012/08/08 18:40:57 ossec-remoted(1403): ERROR: Incorrectly formated >> message >> > from 'ip of agent'. >> > >> > I've gone as far as to remove the agent's key on the master, completely >> > remove ossec on the agent, generate a new key on the master, even with >> a new >> > agent name, reinstall ossec on the agent, and import the new key, it >> still >> > generates these errors. >> > >> > Every report of this error i've found has been related to keys, which >> is why >> > i've focused on the keys up until now. However after my last step >> (removing >> > and reinstalling ossec ont he agent), i cant see how it could still be >> the >> > key, unless something isnt clearing on the master. >> > >> > What can i try next? >> > >> >> Are you sure you got the IP address correct? There are no NAT devices >> between the agent and the manager? The IP used by that agent is >> unique? You didn't fat finger the key? >> >
