OK, gave the add.remove key thing one last shot. Stopped ossec on both the master and the agent. deleted client.keys on the agent. used manage_agents to remove the old key from the master, and add a new one. Started ossec on the master. used manage_agents on the agent to add the key that i extracted (using manage_agents on the master) for this agent to this agent. Started ossec on the agent.
NOW, i get my ossec.log on the master flooded with: WARN: Invalid active response (execd) message '9:(www' www is the agent i'm working with. However, i'm getting the same now for every one of my agents... Unrelated? Coincidence? I think ossec has it in for me. On Thursday, August 9, 2012 8:54:17 AM UTC-4, Nate wrote: > > Ok, now i'm seeing another error, which still leads me to believe theires > a key problem on the systems. > > Checksum mismatch on message from <agent ip> > > I googled that, and found some people had some success by comparing the > contents of client.keys on the manager and the agent. I did that, they are > identical. > > I really dont know what's wrong here, this should be working.Everything > ive checked appears to check out. > > > > > On Wednesday, August 8, 2012 9:58:30 PM UTC-4, Nate wrote: >> >> The IP is correct >> >> no nat, The agent is a VM running on a KVM host, getting its network from >> a Bridge interface. Just like the other 3 vm's which are working >> perfectly. >> >> IP is unique >> >> key was copied/pasted from the master. >> >> On Wednesday, August 8, 2012 3:00:48 PM UTC-4, dan (ddpbsd) wrote: >>> >>> On Wed, Aug 8, 2012 at 2:53 PM, Nate <[email protected]> wrote: >>> > I've found a number of references to this error message, none of them >>> seem >>> > to be helping me though. >>> > >>> > I've recently setup an ossec manager, with four agents. Ossec 2.6, >>> Fedora 15 >>> > on the manager, and the four agents are all CentOS 6. >>> > >>> > I added all of the agents by generating keys, restarting ossec on the >>> > manager, and then importing the keys on each agent individually. >>> > >>> > On one of the agents, I messed up its IP address on the manager when i >>> > generated its key. So i deleted that key, and generated a new one, >>> with a >>> > new id, and imported that key on the agent. It joined the master, and >>> all >>> > appeared well. >>> > >>> > That agent keeps generating the following error in my ossec.log on the >>> > master however. >>> > >>> > 2012/08/08 18:40:57 ossec-remoted(1403): ERROR: Incorrectly formated >>> message >>> > from 'ip of agent'. >>> > >>> > I've gone as far as to remove the agent's key on the master, >>> completely >>> > remove ossec on the agent, generate a new key on the master, even with >>> a new >>> > agent name, reinstall ossec on the agent, and import the new key, it >>> still >>> > generates these errors. >>> > >>> > Every report of this error i've found has been related to keys, which >>> is why >>> > i've focused on the keys up until now. However after my last step >>> (removing >>> > and reinstalling ossec ont he agent), i cant see how it could still be >>> the >>> > key, unless something isnt clearing on the master. >>> > >>> > What can i try next? >>> > >>> >>> Are you sure you got the IP address correct? There are no NAT devices >>> between the agent and the manager? The IP used by that agent is >>> unique? You didn't fat finger the key? >>> >>
