See the FAQ entry for Duplicate Errors: http://ossec-docs.readthedocs.org/en/latest/faq/unexpected.html#fixing-duplicate-errors
While not an exact description of the error message you were running into, it does explain what the RIDS feature is and why it caused problems in your various test instances. During all your testing with different server incarnations, I imagine you were not clearing out the RIDS content on your clients. The RIDS counters were out of sync, preventing the clients from connecting successfully. There is an easier way to fix this problem than to do a clean re-install, which is outlined in the FAQ. Hopefully that helps to answer the WHY portion of your question. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Colin Bruce > Sent: Monday, November 24, 2014 8:11 AM > To: [email protected] > Subject: RE: [ossec-list] Cant Get it Working > > Dear Dan, > > Thanks for the reply. I manage to make some progress but I didn't find an > explanation for the problem sadly. I did some experimentation and I have to > admit I did wonder if it was related to using MySQL. However, I am not sure > that was the problem as far as linux is concerned. After a bit of trial and > error I > realised that the server was working fine even when it was built on one > machine and running on another. It worked whether MySQL was in use or not. > So that was good. > > I had been using a Windows agent originally but as that wasn't working I > tried a > Linux agent and, again, that worked no matter if it was running on the machine > where it was built or not. > > I had spent some time going through the code and I couldn't find anywhere that > the location where it was built was recorded and used so I couldn't understand > why it didn't work before. It must have been some typing mistake of mine. > > However, the windows agent just refused to communicate with the server. I > issued and installed new keys, restarted everything and still no joy. I was > on the > point of giving up when I thought I would try uninstalling the windows agent > completely and reinstalling again. Lo and behold it immediately started > working. > > I had noticed that there were several files of the form 002, 003 etc in the > RIDS > directory and I wondered if that was causing the problem from the start. > However, having got it working I then tried to break it by giving it new keys > and, as a consequence, creating new entries in the RIDS directory but it made > no difference, it continued to work after restarts and reboots. So, it is > working > now but sadly I don't know what was stopping it before. > > Best wishes…. > Colin > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: 24 November 2014 14:52 > To: [email protected] > Subject: Re: [ossec-list] Cant Get it Working > > On Sat, Nov 22, 2014 at 10:19 PM, Colin Bruce <[email protected]> > wrote: > > > > Dear Dan, > > > > I'm afraid I am beaten with this. I started all over again. I built a > > server and ran it on the machine that it was built on with a Linux and > > Windows agent on other servers. It all worked fine. I then ran the > > server on another machine that it was not built on and once again the > > agents worked okay. However, when I built the server with support for > > mysql and ran it on a server that it was not built on, the Linux agent > > connected okay but the windows agent will not. Here is a snip from the > > log file on the agent > > > > If you run it on the system you built it with mysql support on does everything > work? > I don't use the database stuff, so tracking down issues with that would be > even > more difficult. > > > I've checked and rechecked the key and restarted the server and agent > repeatedly but it is always the same. It just doesn't work with windows > agents. > Here is a snippet from the server log file. > > > > > > It shows that it read the keys file and knows about the windows agent (it > > is FS- > A) but no matter how many times I restart it the agent reports the messages > above and absolutely nothing appears in the log files on the server. The keys > are correct: I have compared them on the server and agent and there is no > difference. > > > > There is no firewall anywhere in this environment and the servers are all on > the same network. In fact they are all on the same server since they are > virtual > servers running on a single host. > > > > By the way ossec-control stop doesn't stop ossec-dbd. It claims it is not > running when it clearly is. > > > > Best wishes.... > > Colin > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > On Behalf Of dan (ddp) > > Sent: 21 November 2014 17:40 > > To: [email protected] > > Subject: Re: [ossec-list] Cant Get it Working > > > > On Fri, Nov 21, 2014 at 12:17 PM, Colin Bruce <[email protected]> > wrote: > > > Dear Dan, > > > > > > Thanks for the suggestion. I get a lot of information in the logs now and > when I start one of the clients I get this in the file: > > > > > > ossec-remoted(1403): ERROR: Incorrectly formatted message from > '192.168.30.221'. > > > > > > It is repeated many times. That is the address of the client. I have > > > created > key on the server using that address and installed it on the client. If fact > I just > did it again just to be sure. > > > > > > > So it seems like something is wrong with the key. I haven't really seen any > complaints about this not working for anyone else. What SSH client/terminal > are you using? Perhaps you can visually compare the keys on the manager and > the agent. Also make sure the manager's ossec processes stopped. Stop them, > make sure they're stopped (`ps auxww | grep ossec` should probably be > enough), then start them again. I've seen that be the issue in the past. > > > > > Best wishes.... > > > Colin > > > > > > > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] > > > On Behalf Of dan (ddp) > > > Sent: 21 November 2014 16:22 > > > To: [email protected] > > > Subject: Re: [ossec-list] Cant Get it Working > > > > > > On Fri, Nov 21, 2014 at 11:11 AM, Colin Bruce <[email protected]> > wrote: > > >> Dear Dan, > > >> > > >> > > >> > > >> Thanks for the reply. Sadly the answer to each of your questions is > > >> yes. I just double checked to make sure. > > >> > > >> > > > > > > Does the manager respond to the packets? > > > Try turning debug on on the manager (`/var/ossec/bin/ossec-control enable > debug && /var/ossec/bin/ossec-control restart`), and check the logs for more > information. > > > > > > > > >> > > >> As a last attempt I am going to delete everything and start again. > > >> After that I think I'll give up. > > >> > > > Good luck > > > > > >> > > >> > > >> Best wishes... > > >> > > >> Colin > > >> > > >> > > >> > > >> From: [email protected] > > >> [mailto:[email protected]] > > >> On Behalf Of dan (ddp) > > >> Sent: 21 November 2014 16:00 > > >> To: [email protected] > > >> Subject: Re: [ossec-list] Cant Get it Working > > >> > > >> > > >> > > >> > > >> On Nov 21, 2014 10:46 AM, "Colin Bruce" <[email protected]> > wrote: > > >>> > > >>> Hi, > > >>> > > >>> > > >>> > > >>> I have been trying to get this to work for a couple of months now > > >>> and have got absolutely nowhere. I see lots of people with > > >>> questions which suggests that they have it running. I just don't > > >>> understand what I am doing wrong, > > >>> > > >>> > > >>> > > >>> I've started again untarred the file ossec-hids-2.8.1.tar.gz, run > > >>> install.sh using all the defaults and whe I run it I do get a > > >>> notification by e-mail that it has started. However, the log file > > >>> includes: > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> Why is the socket not available? Surely if it is required it > > >>> should either be in the install.sh or documented somewhere. > > >>> > > >>> > > >>> > > >>> I've installed two agents - one on a windows server and one on a > > >>> Linux server. Neither of them connect to the ossec server. On both I get > this: > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> The log on the ossec server shows absolutely no attempt to connect > > >>> from anywhere. It just ignores everything. All the servers are on > > >>> the same network 192.168.30.0/24 and I've given them keys. There > > >>> is no firewall of any kind between the servers and all other > communications works fine. > > >>> > > >>> > > >>> > > >>> This is an absolutely out of the box install with no configuration > > >>> other than what install.sh does and it doesn't work. > > >>> > > >>> > > >>> > > >>> Does anyone have any idea what is wrong or even where to look. > > >>> > > >>> > > >> > > >> Is ossec-remoted working? > > >> Are udp packets making it to the manager? > > >> Are the keys and ips for the agents unique? > > >> Did you restart the manager's ossec processes after adding the agents? > > >> Are you sure you gave each agent the correct key? > > >> > > >>> > > >>> Best wishes.... > > >>> > > >>> Colin > > >>> > > >>> -- > > >>> > > >>> --- > > >>> You received this message because you are subscribed to the Google > > >>> Groups "ossec-list" group. > > >>> To unsubscribe from this group and stop receiving emails from it, > > >>> send an email to [email protected]. > > >>> For more options, visit https://groups.google.com/d/optout. > > >> > > >> -- > > >> > > >> --- > > >> You received this message because you are subscribed to the Google > > >> Groups "ossec-list" group. > > >> To unsubscribe from this group and stop receiving emails from it, > > >> send an email to [email protected]. > > >> For more options, visit https://groups.google.com/d/optout. > > >> > > >> -- > > >> > > >> --- > > >> You received this message because you are subscribed to the Google > > >> Groups "ossec-list" group. > > >> To unsubscribe from this group and stop receiving emails from it, > > >> send an email to [email protected]. > > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
