I would need to see some config files. Are you using agent.conf in the shared folder on the master (with active response enabled in the ossec.conf file)? Can you post the ossec.conf and the agent.conf from the agent? I assume that the ossec.conf files are the same on each of your agents.
On Tuesday, August 14, 2012 4:17:08 AM UTC-6, bw wrote: > On 08/09/2012 16:39, dan (ddp) wrote: > > On Thu, Aug 9, 2012 at 9:13 AM, Nate <[email protected] <javascript:>> > wrote: > >> OK, gave the add.remove key thing one last shot. > >> > >> Stopped ossec on both the master and the agent. > >> deleted client.keys on the agent. > >> used manage_agents to remove the old key from the master, and add a new > one. > >> Started ossec on the master. > >> used manage_agents on the agent to add the key that i extracted (using > >> manage_agents on the master) for this agent to this agent. > >> Started ossec on the agent. > >> > >> NOW, i get my ossec.log on the master flooded with: > >> > >> WARN: Invalid active response (execd) message '9:(www' > >> > >> www is the agent i'm working with. > >> > >> However, i'm getting the same now for every one of my agents... > Unrelated? > >> Coincidence? > >> > >> I think ossec has it in for me. > >> > >> > > > > Someone else is having a similar issue, but I don't know how far > > anyone has gotten with tracking it down. It's one of those things I > > don't know how to troubleshoot when I can't recreate the issue. Check > > the other thread though, maybe something useful has been posted there. > > > > That would be me, getting the warning, not the other errors. When it > happens, no message from agents gets through, I get the message from all > agents though, not just one. > > The one thing that we seem to have in common is that my www agent runs > in a VirtualBox image, bridged. Another agent is the host for www and > the third one is an independent host, not virtualized. I didn't try > running without the www agent started, I'll try to do that too. > > I had the same agent reporting to a different server but with active > response disabled, that was while testing and there were no problems > there. > > The other thing that might be different on my setup is that two of the > agents, www and it's host, connect to one interface, 10.x.x.x while the > third one connects to 192.168.x.x. These are two different network > interfaces and the server has a couple more, ossec is set to listen on > all of them. > >
