On Wed, Dec 5, 2012 at 5:27 AM, peng lin <[email protected]> wrote: > 1 can't restart windows agent in server > > AR should be enabled on all agents for the remote restart feature to work > > what is AR ? Is that a file in /var/ossec/etc/shard/ar ? how it use to do. > and how to enabled. I not notes it in windows,but can resolve this problom. >
AR is short for Active Response. > > > 2 About hybrid mode . > > Today i install the hybrid mode again and again. i am sure both my configure > and key are correct .AND key is right .but in hybrid mode ,i use netstat > -antlu ,i can't find 1514 port is open. but in server it opened .So i guess > have something wrong to cause hybrid server can't open 1514 so the agent > can't connect hybrid server ? > > The following is my netstat -anlup > > server(works good) > > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > udp 0 0 192.168.122.1:53 0.0.0.0:* > 2869/dnsmasq > udp 0 0 0.0.0.0:67 0.0.0.0:* > 2869/dnsmasq > udp 0 0 0.0.0.0:1514 0.0.0.0:* > 21383/ossec-remoted > hybrid(not works) > > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > udp 0 0 10.64.4.106:34465 10.64.4.103:1514 > ESTABLISHED 6982/ossec-agentd > > and i will give my hybrid conf . > > conf.1 is in /var/ossec/etc conf.2 in /var/ossec/ossec-agent/etc conf.3 > is agent's > > my degsin network is server:10.64.4.103 hybrid:10.64.4.106 agent > 10.64.4.108
