On Thu, Aug 9, 2012 at 9:13 AM, Nate <[email protected]> wrote: > OK, gave the add.remove key thing one last shot. > > Stopped ossec on both the master and the agent. > deleted client.keys on the agent. > used manage_agents to remove the old key from the master, and add a new one. > Started ossec on the master. > used manage_agents on the agent to add the key that i extracted (using > manage_agents on the master) for this agent to this agent. > Started ossec on the agent. > > NOW, i get my ossec.log on the master flooded with: > > WARN: Invalid active response (execd) message '9:(www' > > www is the agent i'm working with. > > However, i'm getting the same now for every one of my agents... Unrelated? > Coincidence? > > I think ossec has it in for me. > >
Someone else is having a similar issue, but I don't know how far anyone has gotten with tracking it down. It's one of those things I don't know how to troubleshoot when I can't recreate the issue. Check the other thread though, maybe something useful has been posted there. > On Thursday, August 9, 2012 8:54:17 AM UTC-4, Nate wrote: >> >> Ok, now i'm seeing another error, which still leads me to believe theires >> a key problem on the systems. >> >> Checksum mismatch on message from <agent ip> >> >> I googled that, and found some people had some success by comparing the >> contents of client.keys on the manager and the agent. I did that, they are >> identical. >> >> I really dont know what's wrong here, this should be working.Everything >> ive checked appears to check out. >> >> >> >> >> On Wednesday, August 8, 2012 9:58:30 PM UTC-4, Nate wrote: >>> >>> The IP is correct >>> >>> no nat, The agent is a VM running on a KVM host, getting its network from >>> a Bridge interface. Just like the other 3 vm's which are working perfectly. >>> >>> IP is unique >>> >>> key was copied/pasted from the master. >>> >>> On Wednesday, August 8, 2012 3:00:48 PM UTC-4, dan (ddpbsd) wrote: >>>> >>>> On Wed, Aug 8, 2012 at 2:53 PM, Nate <[email protected]> wrote: >>>> > I've found a number of references to this error message, none of them >>>> > seem >>>> > to be helping me though. >>>> > >>>> > I've recently setup an ossec manager, with four agents. Ossec 2.6, >>>> > Fedora 15 >>>> > on the manager, and the four agents are all CentOS 6. >>>> > >>>> > I added all of the agents by generating keys, restarting ossec on the >>>> > manager, and then importing the keys on each agent individually. >>>> > >>>> > On one of the agents, I messed up its IP address on the manager when i >>>> > generated its key. So i deleted that key, and generated a new one, >>>> > with a >>>> > new id, and imported that key on the agent. It joined the master, and >>>> > all >>>> > appeared well. >>>> > >>>> > That agent keeps generating the following error in my ossec.log on the >>>> > master however. >>>> > >>>> > 2012/08/08 18:40:57 ossec-remoted(1403): ERROR: Incorrectly formated >>>> > message >>>> > from 'ip of agent'. >>>> > >>>> > I've gone as far as to remove the agent's key on the master, >>>> > completely >>>> > remove ossec on the agent, generate a new key on the master, even with >>>> > a new >>>> > agent name, reinstall ossec on the agent, and import the new key, it >>>> > still >>>> > generates these errors. >>>> > >>>> > Every report of this error i've found has been related to keys, which >>>> > is why >>>> > i've focused on the keys up until now. However after my last step >>>> > (removing >>>> > and reinstalling ossec ont he agent), i cant see how it could still be >>>> > the >>>> > key, unless something isnt clearing on the master. >>>> > >>>> > What can i try next? >>>> > >>>> >>>> Are you sure you got the IP address correct? There are no NAT devices >>>> between the agent and the manager? The IP used by that agent is >>>> unique? You didn't fat finger the key?
