Thanks Dan, Seems that removing the queue of rids helped, why did it happen in the first place? what is the possible cause and how to avoid future disconnects?
Br. On Wednesday, 14 May 2014 14:47:49 UTC+2, Bart Nukats wrote: > > Hello, > > I'm having issues with agents, I'm unable to successfully reconnect them, > tried almost everything, but nothing helps, therefore asking for help here. > > Info: > > I'm using OSSEC HIDS v2.7.1 > Servers IP: 10.48.1.247 > Agent IP: 10.48.1.213 > Firewall: No local or remote firewall is enabled, everything is allowed as > the traffic goes to the switch and comes back to the host. > > It stopped working right after i rebooted my computer (was working fine > for 3 days) I didn't change anything nor modify anything > > Log data: > > from agent log: > > 2014/05/14 14:25:31 ossec-agent: INFO: Started (pid: 6684). > 2014/05/14 14:25:41 ossec-agent: WARN: Process locked. Waiting for > permission... > 2014/05/14 14:25:51 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > 2014/05/14 14:25:53 ossec-agent: INFO: Trying to connect to server ( > 10.48.1.247:1514). > 2014/05/14 14:25:53 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . > 2014/05/14 14:26:14 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > 2014/05/14 14:26:34 ossec-agent: INFO: Trying to connect to server ( > 10.48.1.247:1514). > 2014/05/14 14:26:34 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . > 2014/05/14 14:26:55 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > 2014/05/14 14:27:33 ossec-agent: INFO: Trying to connect to server ( > 10.48.1.247:1514). > 2014/05/14 14:27:33 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . > 2014/05/14 14:27:54 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > 2014/05/14 14:28:50 ossec-agent: INFO: Trying to connect to server ( > 10.48.1.247:1514). > 2014/05/14 14:28:50 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . > 2014/05/14 14:29:11 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.48.1.247'. > > From wireshark on agent: > > Everything seems fine > > From OSSEC server: > > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes > 14:26:02.058989 IP 10.48.1.213.60259 > 10.48.1.247.1514: UDP, length 78 > 14:26:08.059936 IP 10.48.1.213.60259 > 10.48.1.247.1514: UDP, length 78 > 14:26:10.081897 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > 14:26:16.082880 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > 14:26:20.082857 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > 14:26:25.083823 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > 14:26:31.083738 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 > > It receives the packets from the agent (compared with wireshark from > agent, everything seems the same) > > from Server logs: > > /var/ossec/logs# tail -f ossec.log > 2014/05/14 14:43:07 ossec-remoted: WARN: Duplicate error: global: 0, > local: 51, saved global: 219, saved local:3548 > 2014/05/14 14:43:07 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > 2014/05/14 14:43:13 ossec-remoted: WARN: Duplicate error: global: 0, > local: 52, saved global: 219, saved local:3548 > 2014/05/14 14:43:13 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > 2014/05/14 14:43:17 ossec-remoted: WARN: Duplicate error: global: 0, > local: 53, saved global: 219, saved local:3548 > 2014/05/14 14:43:17 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > 2014/05/14 14:43:22 ossec-remoted: WARN: Duplicate error: global: 0, > local: 54, saved global: 219, saved local:3548 > 2014/05/14 14:43:22 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > 2014/05/14 14:43:28 ossec-remoted: WARN: Duplicate error: global: 0, > local: 55, saved global: 219, saved local:3548 > 2014/05/14 14:43:28 ossec-remoted(1407): ERROR: Duplicated counter for > 'stakub01'. > > > I've checked the agents and there is only one username stakub01 - mine, so > i don't understand the message > > 1) i've re-installed the agent - put all the values again, the agent > registered - Status: RUnning..." > > 2) I've restarted the management server couple of times, still the same > issue > > 3) rebooted the linux server where ossec is - still the same issue > > 4) the only viable solution would be to get rid of the duplicates? But how > did they get there? > > Br, > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
