How often did you get each of the following messages: 1) "ERROR: Incorrectly formated message from" 2) "Checksum mismatch on message from" 3) "Invalid active response" I am trying to see if any one of them is related to keepalives.
On Thursday, August 9, 2012 6:39:36 AM UTC-7, dan (ddpbsd) wrote: > > On Thu, Aug 9, 2012 at 9:13 AM, Nate <[email protected] <javascript:>> > wrote: > > OK, gave the add.remove key thing one last shot. > > > > Stopped ossec on both the master and the agent. > > deleted client.keys on the agent. > > used manage_agents to remove the old key from the master, and add a new > one. > > Started ossec on the master. > > used manage_agents on the agent to add the key that i extracted (using > > manage_agents on the master) for this agent to this agent. > > Started ossec on the agent. > > > > NOW, i get my ossec.log on the master flooded with: > > > > WARN: Invalid active response (execd) message '9:(www' > > > > www is the agent i'm working with. > > > > However, i'm getting the same now for every one of my agents... > Unrelated? > > Coincidence? > > > > I think ossec has it in for me. > > > > > > Someone else is having a similar issue, but I don't know how far > anyone has gotten with tracking it down. It's one of those things I > don't know how to troubleshoot when I can't recreate the issue. Check > the other thread though, maybe something useful has been posted there. > > > On Thursday, August 9, 2012 8:54:17 AM UTC-4, Nate wrote: > >> > >> Ok, now i'm seeing another error, which still leads me to believe > theires > >> a key problem on the systems. > >> > >> Checksum mismatch on message from <agent ip> > >> > >> I googled that, and found some people had some success by comparing the > >> contents of client.keys on the manager and the agent. I did that, they > are > >> identical. > >> > >> I really dont know what's wrong here, this should be working.Everything > >> ive checked appears to check out. > >> > >> > >> > >> > >> On Wednesday, August 8, 2012 9:58:30 PM UTC-4, Nate wrote: > >>> > >>> The IP is correct > >>> > >>> no nat, The agent is a VM running on a KVM host, getting its network > from > >>> a Bridge interface. Just like the other 3 vm's which are working > perfectly. > >>> > >>> IP is unique > >>> > >>> key was copied/pasted from the master. > >>> > >>> On Wednesday, August 8, 2012 3:00:48 PM UTC-4, dan (ddpbsd) wrote: > >>>> > >>>> On Wed, Aug 8, 2012 at 2:53 PM, Nate <[email protected]> wrote: > >>>> > I've found a number of references to this error message, none of > them > >>>> > seem > >>>> > to be helping me though. > >>>> > > >>>> > I've recently setup an ossec manager, with four agents. Ossec 2.6, > >>>> > Fedora 15 > >>>> > on the manager, and the four agents are all CentOS 6. > >>>> > > >>>> > I added all of the agents by generating keys, restarting ossec on > the > >>>> > manager, and then importing the keys on each agent individually. > >>>> > > >>>> > On one of the agents, I messed up its IP address on the manager > when i > >>>> > generated its key. So i deleted that key, and generated a new one, > >>>> > with a > >>>> > new id, and imported that key on the agent. It joined the master, > and > >>>> > all > >>>> > appeared well. > >>>> > > >>>> > That agent keeps generating the following error in my ossec.log on > the > >>>> > master however. > >>>> > > >>>> > 2012/08/08 18:40:57 ossec-remoted(1403): ERROR: Incorrectly > formated > >>>> > message > >>>> > from 'ip of agent'. > >>>> > > >>>> > I've gone as far as to remove the agent's key on the master, > >>>> > completely > >>>> > remove ossec on the agent, generate a new key on the master, even > with > >>>> > a new > >>>> > agent name, reinstall ossec on the agent, and import the new key, > it > >>>> > still > >>>> > generates these errors. > >>>> > > >>>> > Every report of this error i've found has been related to keys, > which > >>>> > is why > >>>> > i've focused on the keys up until now. However after my last step > >>>> > (removing > >>>> > and reinstalling ossec ont he agent), i cant see how it could still > be > >>>> > the > >>>> > key, unless something isnt clearing on the master. > >>>> > > >>>> > What can i try next? > >>>> > > >>>> > >>>> Are you sure you got the IP address correct? There are no NAT devices > >>>> between the agent and the manager? The IP used by that agent is > >>>> unique? You didn't fat finger the key? >
