Good news, that was the issue, I had another key with the same IP Thanks ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected]
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: "dan (ddp)" <[email protected]> To: [email protected] Date: 08/28/2012 07:25 AM Subject: Re: [ossec-list] 2.5.1 Sent by: [email protected] On Fri, Aug 24, 2012 at 4:38 PM, Michael Barrett <[email protected]> wrote: > > > There shouldn't be any other agents trying to use that IP > > This device only has one IP > > Is there a log that will tell me the IP that the agent is using to > communicate with the server? Not that I'm aware of. Check for duplicates in the client.keys file as well. > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > From: "dan (ddp)" <[email protected]> > To: [email protected] > Date: 08/24/2012 12:12 PM > Subject: Re: [ossec-list] 2.5.1 > Sent by: [email protected] > > ________________________________ > > > > On Fri, Aug 24, 2012 at 12:42 PM, Michael Barrett > <[email protected]> wrote: > > > > > > OK > > > > using ANY, the agent connects > > > > > > SO what does this tell us? > > ____________________________________________ > > There are a few possibilities (and probably others I'm not thinking > of). Is it possible that the agent's IP is being used by multiple > agents? All agents need unique IP addresses. Could the agent be trying > to communicate using a different IP than the one assigned to it in > manage_agents? > > > Michael Barrett | Information Security Analyst - Lead | Mortgage > > Guaranty > > Insurance Corporation > > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > > 1.888.601.4440 | * [email protected] > > > > This message is intended for use only by the person(s) addressed above > > and > > may contain privileged and confidential information. Disclosure or use > > of > > this message by any other person is strictly prohibited. If this message > > is > > received in error, please notify the sender immediately and delete this > > message. > > > > > > > > From: "dan (ddp)" <[email protected]> > > To: [email protected] > > Date: 08/24/2012 09:51 AM > > Subject: Re: [ossec-list] 2.5.1 > > Sent by: [email protected] > > > > ________________________________ > > > > > > > > As an experiment, try removing the agent with manage_agents. Then > > re-add it, but for the IP address try entering 'any' (without the > > quotes). > > Then export the key, import the key on the agent, restart, etc. > > > > On Fri, Aug 24, 2012 at 10:41 AM, Michael Barrett > > <[email protected]> wrote: > > > > > > > > > I turned logall on, doesn't seem to make a difference in the message > > > > > > How do I turn debug on? > > > > > > > > > > > > ____________________________________________ > > > Michael Barrett | Information Security Analyst - Lead | Mortgage > > > Guaranty Insurance Corporation > > > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > > > 1.888.601.4440 | * [email protected] > > > > > > This message is intended for use only by the person(s) addressed above > > > and may contain privileged and confidential information. Disclosure or > > > use > > > of this message by any other person is strictly prohibited. If this > > > message > > > is received in error, please notify the sender immediately and delete > > > this > > > message. > > > > > > > > > > > > From: "dan (ddp)" <[email protected]> > > > To: [email protected] > > > Date: 08/21/2012 11:40 AM > > > Subject: Re: [ossec-list] 2.5.1 > > > Sent by: [email protected] > > > > > > ________________________________ > > > > > > > > > > > > On Tue, Aug 21, 2012 at 12:36 PM, Michael Barrett > > > <[email protected]> wrote: > > > > > > > > > > > > So if re-installing doesn't work, any ideas of what I can try? > > > > ____________________________________________ > > > > > > > > > Could there be a networking device messing things up in between? Is > > > this the only system having issues? Turn on logall on the server? Turn > > > on debug on the server? Try to add to the log message to get the > > > initial incorrectly formatted message? > > > > > > > Michael Barrett | Information Security Analyst - Lead | Mortgage > > > > Guaranty > > > > Insurance Corporation > > > > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | > > > > 7 > > > > 1.888.601.4440 | * [email protected] > > > > > > > > This message is intended for use only by the person(s) addressed > > > > above > > > > and > > > > may contain privileged and confidential information. Disclosure or > > > > use > > > > of > > > > this message by any other person is strictly prohibited. If this > > > > message is > > > > received in error, please notify the sender immediately and delete > > > > this > > > > message. > > > > > > > > > > > > > > > > From: "dan (ddp)" <[email protected]> > > > > To: [email protected] > > > > Date: 08/21/2012 11:15 AM > > > > Subject: Re: [ossec-list] 2.5.1 > > > > Sent by: [email protected] > > > > > > > > ________________________________ > > > > > > > > > > > > > > > > On Tue, Aug 21, 2012 at 11:18 AM, Michael Barrett > > > > <[email protected]> wrote: > > > > > > > > > > Is this the only agent on this network? Could there be a > > > > > networking > > > > > device messing things up in between? Is this the only host having > > > > > issues? Is the server listening on multiple networks? What does > > > > > v2.5.1 > > > > > have to do with this? > > > > > > > > > > > > > > > No this isn't the only host > > > > > > > > > > The server is only listening on one IP > > > > > > > > > > The agent has 2.5.1 and we are not ready to go to 2.6 and i wanted > > > > > a > > > > > fresh > > > > > install > > > > > ________________________________ > > > > > > > > What are you going to do when 2.7 comes out? Wait till 2.8 is almost > > > > ready? > > > > > > > > ____________ > > > > > Michael Barrett | Information Security Analyst - Lead | Mortgage > > > > > Guaranty > > > > > Insurance Corporation > > > > > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 > > > > > | > > > > > 7 > > > > > 1.888.601.4440 | * [email protected] > > > > > > > > > > This message is intended for use only by the person(s) addressed > > > > > above > > > > > and > > > > > may contain privileged and confidential information. Disclosure or > > > > > use > > > > > of > > > > > this message by any other person is strictly prohibited. If this > > > > > message > > > > > is > > > > > received in error, please notify the sender immediately and delete > > > > > this > > > > > message. > > > > > > > > > > > > > > > > > > > >
