On Fri, Aug 8, 2014 at 9:53 AM, Tim Boyer <[email protected]> wrote: > ossec 2.8-45 and RHEL10 > > Upgraded to 2.8 from 2.6. I've got a large number of servers with 'Waiting > for server reply', which is strange, because it worked previously. > > So server at 10.0.130.137, and client at 10.0.130.133. Client says > > 2014/08/08 08:59:49 ossec-agentd: INFO: Using IPv4 for: 10.0.130.137 . > 2014/08/08 09:00:10 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '10.0.130.137'. > 2014/08/08 09:05:36 ossec-agentd: INFO: Trying to connect to server > (10.0.130.137:1514). > 2014/08/08 09:05:36 ossec-agentd: INFO: Using IPv4 for: 10.0.130.137 . > 2014/08/08 09:05:57 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '10.0.130.137'. > > but I know what that means. Firewall, right? And yet on the server side: > > 2014/08/08 09:32:31 ossec-remoted(1403): ERROR: Incorrectly formated message > from '10.0.130.133'. > 2014/08/08 09:32:37 ossec-remoted(1403): ERROR: Incorrectly formated message > from '10.0.130.133'. > > Don't know how it could be a firewall if the server sees it. Tcpdump > verifies that messages are coming in, but not out: > > root@saratoga logs)# tcpdump -nn udp and host 10.0.130.133 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 09:41:49.004763 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 73 > 09:41:55.005153 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 73 > 09:41:59.005509 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 73 > 09:42:04.005833 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 73 > > Bad key, right? Stop server and client; delete key; add key; start server; > start client. >
Did you try a new key, or just the old key? Are the agents using the IP addresses assigned to them in client.keys? > Same thing. > > 2014/08/08 09:48:13 ossec-remoted(1403): ERROR: Incorrectly formated message > from '10.0.130.133'. > 2014/08/08 09:48:19 ossec-remoted(1403): ERROR: Incorrectly formated message > from '10.0.130.133'. > 2014/08/08 09:48:23 ossec-remoted(1403): ERROR: Incorrectly formated message > from '10.0.130.133'. > > > So this is a combination I'm not familiar with. Any suggestions? > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
