On Tue, Aug 14, 2012 at 6:17 AM, bw <[email protected]> wrote: > On 08/09/2012 16:39, dan (ddp) wrote: >> >> On Thu, Aug 9, 2012 at 9:13 AM, Nate <[email protected]> wrote: >>> >>> OK, gave the add.remove key thing one last shot. >>> >>> Stopped ossec on both the master and the agent. >>> deleted client.keys on the agent. >>> used manage_agents to remove the old key from the master, and add a new >>> one. >>> Started ossec on the master. >>> used manage_agents on the agent to add the key that i extracted (using >>> manage_agents on the master) for this agent to this agent. >>> Started ossec on the agent. >>> >>> NOW, i get my ossec.log on the master flooded with: >>> >>> WARN: Invalid active response (execd) message '9:(www' >>> >>> www is the agent i'm working with. >>> >>> However, i'm getting the same now for every one of my agents... >>> Unrelated? >>> Coincidence? >>> >>> I think ossec has it in for me. >>> >>> >> >> Someone else is having a similar issue, but I don't know how far >> anyone has gotten with tracking it down. It's one of those things I >> don't know how to troubleshoot when I can't recreate the issue. Check >> the other thread though, maybe something useful has been posted there. >> > > That would be me, getting the warning, not the other errors. When it > happens, no message from agents gets through, I get the message from all > agents though, not just one. > > The one thing that we seem to have in common is that my www agent runs in a > VirtualBox image, bridged. Another agent is the host for www and the third > one is an independent host, not virtualized. I didn't try running without > the www agent started, I'll try to do that too. > > I had the same agent reporting to a different server but with active > response disabled, that was while testing and there were no problems there. > > The other thing that might be different on my setup is that two of the > agents, www and it's host, connect to one interface, 10.x.x.x while the > third one connects to 192.168.x.x. These are two different network > interfaces and the server has a couple more, ossec is set to listen on all > of them. >
Does it work if you don't have it listening to 2 different networks?
