On Tue, Feb 25, 2014 at 8:31 PM, Ivan Kuo <[email protected]> wrote: > Hi > > I've seen alerts triggered by logs from agent (ex. ossec.conf modified). > > I've add/remove agent with manage_agents many times and restart ossec service > by ossec_control restart command > > Netstat shows the connection of server and agent has been established. > > All the demon running well. > > what can I do next? >
If the agent is triggering alerts, then it is definitely connecting. What's the output of: `ls -l /var/ossec/queue/agent-info` `cat /var/ossec/queue/agent-info/*` Look over the info to make sure you don't want to sanitize anything (like possible IP addresses/hostnames. I think that's where the commands to show connected status get their information. > > Regards, > > Ivan Kuo > > > > > dan (ddp) <[email protected]> 於 2014/2/25 下午9:14 寫道: > >> On Tue, Feb 25, 2014 at 7:00 AM, Kuo Ivan <[email protected]> wrote: >>> Dear >>> >>> I have a ossec agent installed on redhat Linux and have key import success. >>> >>> On the agent, there shows no error in the /var/ossec/logs/ossec.log, and >>> the ossec server as well. >>> >>> Here is the problem, I can't see the agent active but "never connected" on >>> the server. And there are alerts send from agent like "agent started". >>> >>> What is happened? >>> >> >> You are, or are not seeing alerts triggered by logs from that agent? >> Did you restart the OSSEC processes on the server after adding the >> agent with manage_agents? >> is there udp traffic going from the agent to the server's port 1514? >> Is there return traffic? >> Is ossec-remoted running on the server? >> Is ossec-agentd running on the agent? >> >>> Thanks >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
