On Wed, May 14, 2014 at 8:47 AM, 'Bart Nukats' via ossec-list <[email protected]> wrote: > Hello, > > I'm having issues with agents, I'm unable to successfully reconnect them, > tried almost everything, but nothing helps, therefore asking for help here. > > Info: > > I'm using OSSEC HIDS v2.7.1 > Servers IP: 10.48.1.247 > Agent IP: 10.48.1.213 > Firewall: No local or remote firewall is enabled, everything is allowed as > the traffic goes to the switch and comes back to the host. > > It stopped working right after i rebooted my computer (was working fine for > 3 days) I didn't change anything nor modify anything > > Log data: > > from agent log: > > 2014/05/14 14:25:31 ossec-agent: INFO: Started (pid: 6684). > 2014/05/14 14:25:41 ossec-agent: WARN: Process locked. Waiting for > permission... > 2014/05/14 14:25:51 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > 2014/05/14 14:25:53 ossec-agent: INFO: Trying to connect to server > (10.48.1.247:1514). > 2014/05/14 14:25:53 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . > 2014/05/14 14:26:14 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > 2014/05/14 14:26:34 ossec-agent: INFO: Trying to connect to server > (10.48.1.247:1514). > 2014/05/14 14:26:34 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . > 2014/05/14 14:26:55 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > 2014/05/14 14:27:33 ossec-agent: INFO: Trying to connect to server > (10.48.1.247:1514). > 2014/05/14 14:27:33 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . > 2014/05/14 14:27:54 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > 2014/05/14 14:28:50 ossec-agent: INFO: Trying to connect to server > (10.48.1.247:1514). > 2014/05/14 14:28:50 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . > 2014/05/14 14:29:11 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > > From wireshark on agent: > > Everything seems fine > > From OSSEC server: > > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes > 14:26:02.058989 IP 10.48.1.213.60259 > 10.48.1.247.1514: UDP, length 78 > 14:26:08.059936 IP 10.48.1.213.60259 > 10.48.1.247.1514: UDP, length 78 > 14:26:10.081897 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > 14:26:16.082880 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > 14:26:20.082857 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > 14:26:25.083823 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > 14:26:31.083738 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > > It receives the packets from the agent (compared with wireshark from agent, > everything seems the same) > > from Server logs: > > /var/ossec/logs# tail -f ossec.log > 2014/05/14 14:43:07 ossec-remoted: WARN: Duplicate error: global: 0, local: > 51, saved global: 219, saved local:3548 > 2014/05/14 14:43:07 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > 2014/05/14 14:43:13 ossec-remoted: WARN: Duplicate error: global: 0, local: > 52, saved global: 219, saved local:3548 > 2014/05/14 14:43:13 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > 2014/05/14 14:43:17 ossec-remoted: WARN: Duplicate error: global: 0, local: > 53, saved global: 219, saved local:3548 > 2014/05/14 14:43:17 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > 2014/05/14 14:43:22 ossec-remoted: WARN: Duplicate error: global: 0, local: > 54, saved global: 219, saved local:3548 > 2014/05/14 14:43:22 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > 2014/05/14 14:43:28 ossec-remoted: WARN: Duplicate error: global: 0, local: > 55, saved global: 219, saved local:3548 > 2014/05/14 14:43:28 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > > > I've checked the agents and there is only one username stakub01 - mine, so i > don't understand the message > > 1) i've re-installed the agent - put all the values again, the agent > registered - Status: RUnning..." > > 2) I've restarted the management server couple of times, still the same > issue > > 3) rebooted the linux server where ossec is - still the same issue > > 4) the only viable solution would be to get rid of the duplicates? But how > did they get there? >
Try stopping the OSSEC manager, deleting the file in /var/ossec/queue/rids that corresponds with stakub01, and starting the OSSEC manager back up. Then restart the agent's OSSEC processes. > Br, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
