More information: This morning, in order to continue troubleshooting this problem, I started the Windows 2.7 agent. and the agent log showed that there was a connection to the OSSEC server. The tethereal trace that was running on the server when the agent started showed a handshake, followed by a multitude of UDP packets from the agent. All well and good, looks like all the other agent actions. However, when I looked at the agent from the server, I get:
[root@foobar bin]# ./agent_control -i NaN OSSEC HIDS agent_control. Agent information: Agent ID: NaN Agent Name: Agent-Name-01 IP address: 192.168.xxx.xxx Status: Never connected Operating system: Unknown Client version: Unknown Last keep alive: Unknown Syscheck last started at: Tue Feb 26 14:19:01 2013 Rootcheck last started at: Tue Feb 26 14:19:35 2013 Yet there's continuing traffic from the agent to the server. Can anyone explain this behavior, and is this what I can expect when I upgrade the other agents from 2.6 to 2.7? On Monday, February 25, 2013 3:43:07 PM UTC-5, biciunas wrote: > > Additional information: > > 1) I deleted the 2.6 Windows agent, installed a 2.7 agent, and used the > same key - same result. > 2) I deleted the agent key on the server, created a new key, re-installed > the 2.7 agent - same result. > > ----- Original Message ----- > > I upgraded a CentOS 5.9 server from OSSEC 2.6 to 2.7 > > After restarting OSSEC server, all the 2.6 agents (both Windows and > > Linux) resumed their connections except for 1 Windows agent. The > > ossec.log showed: > > > > 2013/02/25 18:18:24 ossec-agent: INFO: Started (pid: 3580). > > 2013/02/25 18:18:34 ossec-agent: WARN: Process locked. Waiting for > > permission... > > 2013/02/25 18:18:45 ossec-agent(4101): WARN: Waiting for server reply > > (not started). Tried: '10.xxx.xxx.xxx'. > > 2013/02/25 18:18:47 ossec-agent: INFO: Trying to connect to server > > (10.xxx.xxx.xxx:1514). > > 2013/02/25 18:18:47 ossec-agent: INFO: Using IPv4 for: 10.xxx.xxx.xxx > > . > > 2013/02/25 18:19:08 ossec-agent(4101): WARN: Waiting for server reply > > (not started). Tried: '10.xxx.xxx.xxx'. > > 2013/02/25 18:19:28 ossec-agent: INFO: Trying to connect to server > > (10.xxx.xxx.xxx:1514). > > 2013/02/25 18:19:28 ossec-agent: INFO: Using IPv4 for: 10.xxx.xxx.xxx > > . > > < etc.> > > > > Wireshark on the windows agent box shows UDP messages going to the > > correct IP address, > > > > The strangest part is that running tethereal on the OSSEC server shows > > the requests coming in, But unlike any of the agentt conversations, > > there's no outbound messages from the OSSEC server. I can't find > > anything that remotely looks like a log entry that may shed any > > relevant information as to why the agent request is ignored. > > > > Starting OSSEC in debug mode does not shed any light on this. > > > > Anyone have any ideas? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
