To answer my own question, simply adding the contents of client.keys on one of my agents to the the server client.keys file did not work. A different error in the logs on the agent:
> 2015/01/27 20:34:51 ossec-agentd: WARN: Duplicate error: global: 0, > local: 90, saved global: 84, saved local:4166 > 2015/01/27 20:34:51 ossec-agentd(1407): ERROR: Duplicated counter for ' > xx.yyyy.com'. > 2015/01/27 20:34:51 ossec-agentd(1214): WARN: Problem receiving message > from ossec.server.com/11.11.11.11. > On Tue, Jan 27, 2015 at 1:30 PM, Todd Courtnage <[email protected]> wrote: > Yes, I did delete the etc/clients.keys file. I think I know where this is > going.....but please proceed. :-) > > I could repopulate the client.keys file on the server from all of the > client.keys files on each agent? > > > On Tue, Jan 27, 2015 at 1:28 PM, dan (ddp) <[email protected]> wrote: > >> On Tue, Jan 27, 2015 at 3:25 PM, Todd <[email protected]> wrote: >> > Hi all. >> > >> > I did something incredibly dumb (rm -Rf might have been involved) and >> > completed deleted the /var/ossec/ directory on my OSSEC server. >> > >> > Fortunately, all my rules configuration was in git, but I had to >> generate a >> > new set of SSL keys (as per >> > >> http://ossec-docs.readthedocs.org/en/latest/programs/ossec-authd.html#creating-ssl-keys >> ). >> > Now all my agents no longer talk to the server (lots of ERROR: Invalid >> ID >> > for the source ip:) in the logs. >> > >> > I'm ok with manually reregistering all my agents to the server, but I >> wonder >> > if there's a better way. Or what happens when your SSL keys you generate >> > expire and you have to generate a new set of SSL keys? How does one go >> about >> > updating all of the agents? >> > >> >> The SSL keys won't cause issues like this, the agents don't use SSL to >> connect to the manager. Did you delete your etc/client.keys file as >> well? That's the file containing the keys that authenticate the >> agents. >> >> > Thanks for any pointers. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > *Todd Courtnage* > Director of Cloud Computing > > Chaordix – Crowd Intelligence > > email: [email protected] > office: +1.403.263.2655 > toll free: +1.866.263.7775 > mob: + 1.403.975.1591 > > http://www.chaordix.com > > > Follow us on twitter: http://twitter.com/chaordix > Our blog: http://www.chaordix.com/blog/ > -- *Todd Courtnage* Director of Cloud Computing Chaordix – Crowd Intelligence email: [email protected] office: +1.403.263.2655 toll free: +1.866.263.7775 mob: + 1.403.975.1591 http://www.chaordix.com Follow us on twitter: http://twitter.com/chaordix Our blog: http://www.chaordix.com/blog/ -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
