That did seem to work, reverting the server agents back to 2.7.1 & rebuilding the agents/keys on the manager (just as an assurance). Now I'm getting all success & failure events as I should be. Wohoo!! To recap for anyone in the future:
1) Removed agents "newer" than the management console. 2) Installed matching version agents back to systems. 3) Destroyed old agents in management console. 4) Recreated the agents in management console & provided new keys to the refreshed agents. 5) Started agents. 6) Restarted management console. 7) Win! I appreciate you guys. I was starting to think I'd done something overly crazy. I'll keep updates here on this as I continue to see success on the events. Thanks again! On Monday, June 9, 2014 11:26:40 AM UTC-4, Michael Starks wrote: > > On 2014-06-09 10:01, Dan Kennedy wrote: > > Thanks for the reply. I know that the console is running 2.7 & I > > believe the agents are 2.8 as I upgraded them shortly after I put the > > 2.7 ones onto the systems. I'll revert those agents to 2.7 & test a > > bit, then report back. Thanks kindly! > > Dan's right. The manager should generally always be the most recent > version while the agents can be upgraded after. But in this case, it's > necessary. The decoder on the 2.7 manager does not understand the newly > formatted logs. If you can't upgrade the manager right now, you can swap > out the Windows decoder and that will likely fix your problem. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
