I went ahead and used manage_agents to remove the agent off the server. I then, re-added it, imported new keys, and it is now active and working again. Within /ossec/queue/rids the .wait file is no longer there. I will update you if the .wait file appears again and the agent goes down. (I have noticed this pattern)
On Wednesday, June 26, 2013 12:29:16 PM UTC-4, dan (ddpbsd) wrote: > > On Wed, Jun 26, 2013 at 12:08 PM, David Blanton > <[email protected] <javascript:>> wrote: > > # netstat -pan | grep 1514 > > udp 0 0 0.0.0.0:1514 0.0.0.0:* > > 1342/ossec-remoted > > > > > > Try stopping ossec. Make sure that ossec-remoted is stopped as well. > Then start it up. It sounds like remoted isn't stopping properly. > > > > > :) sorry. > > > > On Wednesday, June 26, 2013 11:44:09 AM UTC-4, dan (ddpbsd) wrote: > >> > >> On Wed, Jun 26, 2013 at 11:40 AM, David Blanton > >> <[email protected]> wrote: > >> > # netstat -pan | grep 1514 (agent side) > >> > udp 0 0 172.16.62.121:36469 172.16.23.18:1514 > >> > ESTABLISHED 5545/ossec-agentd > >> > > >> > >> That's absolutely useless now isn't it? What's listening on 1514 on > >> the server side? > >> > >> > On Wednesday, June 26, 2013 11:24:15 AM UTC-4, dan (ddpbsd) wrote: > >> >> > >> >> On Wed, Jun 26, 2013 at 11:17 AM, David Blanton > >> >> <[email protected]> wrote: > >> >> > Edit: The ghostscript installer I made is fine. It seems that one > >> >> > server > >> >> > with an agent keeps making the .wait file in > /opt/ossec/queue/ossec. > >> >> > Very > >> >> > confused as this seems to be the issue. Deleting .wait does not > solve > >> >> > the > >> >> > issue, and if I restart the Server and Agent, the .wait file comes > >> >> > back. > >> >> > Errors are "Waiting for Permissions" and on Server "Cannot bind ot > >> >> > port > >> >> > 1514". > >> >> > > >> >> > >> >> What's listening on port 1514? > >> >> > >> >> > > >> >> > On Wednesday, June 26, 2013 10:48:17 AM UTC-4, David Blanton > wrote: > >> >> >> > >> >> >> I built an installer for the agent installs because in Production > >> >> >> servers > >> >> >> we do not have compilers on them. The agents can start, stop, all > >> >> >> PIDs > >> >> >> run, > >> >> >> netstat -pan | grep 1514 shows that the server is listening, > however > >> >> >> I > >> >> >> get > >> >> >> an ERROR that the the agent cannot connect to the server (it is > >> >> >> transmitting > >> >> >> but server is rejecting). There is no firewall. The ossec.conf > file > >> >> >> is > >> >> >> updated to whitelist the agent IP and allowed-IPS. > >> >> >> > >> >> >> The Web UI shows that the agent is inactive because of this. Does > >> >> >> anybody > >> >> >> have any experience with this? Are there files that cannot be > 'made' > >> >> >> using > >> >> >> an installer/ghostscript that I should be aware of? > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> >> > > >> >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
