On Fri, Sep 19, 2014 at 11:06 AM, Abhi <[email protected]> wrote: > After removing rids and restarting, agent is now able to connect, but still > getting the following message: > > 2014/09/19 09:57:59 ossec-agentd: INFO: Trying to connect to server > (<server-ip>:1514). > 2014/09/19 09:57:59 ossec-agentd: INFO: Using IPv4 for: <server-ip> . > 2014/09/19 09:58:20 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: <server-ip>. > > In the past, I was able to resolve such error by issuing agent-control -R > <id> from the server, but it didn't work this time.. >
Is <server-ip> correct? Are there any log messages in the manager's ossec.log? Are the packets sent by the agent making it to the manager? Is it replying? Are the replies making it to the agent? > Thanks, > > Abhi > > On Friday, September 19, 2014 10:42:34 AM UTC-4, dan (ddpbsd) wrote: >> >> On Fri, Sep 19, 2014 at 10:38 AM, Abhi <[email protected]> wrote: >> > Thanks for the responses. >> > >> > Removed all ossec/queue/rids files and restarted the server. After that, >> > 20 >> > more agents started reporting back, but around 50 are still >> > Disconnected. >> > >> > Servers logs do not show any error.. but one of the agent which has not >> > yet >> > connected, gives the following. >> > >> > 2014/09/19 09:11:06 ossec-agentd: WARN: Duplicate error: global: 1, >> > local: >> > 275, saved global: 161, saved local:1399 >> > 2014/09/19 09:11:06 ossec-agentd(1407): ERROR: Duplicated counter for >> > '<Agent-Hostname>'. >> > 2014/09/19 09:11:06 ossec-agentd(1214): WARN: Problem receiving message >> > from >> > <OSSEC-Server IP> >> > >> >> Try removing any rids files from that agent. >> >> > Thanks, >> > >> > Abhi >> > >> > >> > >> > On Friday, September 19, 2014 9:56:04 AM UTC-4, Michael Starks wrote: >> >> >> >> On 2014-09-19 8:13, Abhi wrote: >> >> >> >> > After starting OSSEC on the new server, around 22 agents started >> >> > reporting correctly but that was only till an hour. After that, most >> >> > of the agents dropped off, leaving the active count to only 4. >> >> >> >> This might be an issue with the rids. Try deleting the files in >> >> ossec/queue/rids/ and restarting. The logs should give you a clue. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
