Just noticed that all those agent which connected back after deleting rids files from server, have now gone back in Disconnected mode.
could I have missed something crucial during migration? client.keys is the file I copied from previous OSSEC installation.. Also, while monitoring alerts from this new OSSEC deployment, few of them are still carrying the original hostname this server had.. could this be connected with the problem in any way.. Does OSSEC server holds "hostname" in any file? Thanks, Abhi On Friday, September 19, 2014 10:42:34 AM UTC-4, dan (ddpbsd) wrote: > > On Fri, Sep 19, 2014 at 10:38 AM, Abhi <[email protected] <javascript:>> > wrote: > > Thanks for the responses. > > > > Removed all ossec/queue/rids files and restarted the server. After that, > 20 > > more agents started reporting back, but around 50 are still > Disconnected. > > > > Servers logs do not show any error.. but one of the agent which has not > yet > > connected, gives the following. > > > > 2014/09/19 09:11:06 ossec-agentd: WARN: Duplicate error: global: 1, > local: > > 275, saved global: 161, saved local:1399 > > 2014/09/19 09:11:06 ossec-agentd(1407): ERROR: Duplicated counter for > > '<Agent-Hostname>'. > > 2014/09/19 09:11:06 ossec-agentd(1214): WARN: Problem receiving message > from > > <OSSEC-Server IP> > > > > Try removing any rids files from that agent. > > > Thanks, > > > > Abhi > > > > > > > > On Friday, September 19, 2014 9:56:04 AM UTC-4, Michael Starks wrote: > >> > >> On 2014-09-19 8:13, Abhi wrote: > >> > >> > After starting OSSEC on the new server, around 22 agents started > >> > reporting correctly but that was only till an hour. After that, most > >> > of the agents dropped off, leaving the active count to only 4. > >> > >> This might be an issue with the rids. Try deleting the files in > >> ossec/queue/rids/ and restarting. The logs should give you a clue. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
