You're a genius!!! It somehow appears that the owner for these files (and the parent folder) was ossec while the remote agent was running as ossecr. As soon as I changed the permissions the agents show as active.
THANK YOU! On Wednesday, April 22, 2015 at 7:51:18 AM UTC-6, dan (ddpbsd) wrote: > > On Tue, Apr 21, 2015 at 6:44 PM, Dan Mackin <[email protected] > <javascript:>> wrote: > > So all of my agents were already added and working at one point. I > recently > > removed one and re-added it with a different ID using the process you > > describe. Restarted both agent and server. In /var/ossec/logs/ossec.log > I > > see that it's connected to the server and it says that it's "Sending > agent > > notification" which is there because I enabled Debugging. I don't see > > anything about the agent in the server's ossec.log beyond the Assigning > > counter for agent line when it first starts. > > > > No issues with IP connectivity and active response IS disabled. Thanks!! > > -Dan > > > > There should be a file for the agent in `/var/ossec/queue/agent-info` > on the manager. > On one of my systems the file's owner:group are ossecr:ossec, and is > rw for ossecr. > Check that file for the agent. > > > > > On Tuesday, April 21, 2015 at 2:30:18 PM UTC-6, Brent Morris wrote: > >> > >> What's your process for adding agents? From the manager: Add the > agent, > >> extract the key... From the agent: paste the key on the agent - plug > in IP > >> address. Save and restart agent ? > >> > >> What do you see in your /var/ossec/logs/ossec.log > >> > >> No issues with IP connectivity? And active response is disabled?? > >> > >> > >> > >> On Tuesday, April 21, 2015 at 12:52:58 PM UTC-7, Dan Mackin wrote: > >>> > >>> I'm having a super hard time working to get some agents back connected > to > >>> my OSSEC server. I'm not really sure where to start so I'll show you > what > >>> I've got so far: > >>> > >>> All of the hosts shown when I run ossec_control -l show Disconnected > or > >>> Never Connected. However, I'm able to restart agents using the > ossec_control > >>> -R <id> command AND my logs on my agents show that they're connected > to my > >>> server. Why won't they show as connected? I've tried removing agents > and > >>> re-adding them. Restarting services on both server and guest doesn't > help > >>> and doesn't show any errors. Debug mode doesn't give me anything good > >>> either. What am I missing? > >>> > >>> Requisite details: > >>> > >>> $ uname -ar; cat /etc/*release > >>> Linux 3.13.0-29-generic #53-Ubuntu SMP Wed Jun 4 21:00:20 UTC 2014 > x86_64 > >>> x86_64 x86_64 GNU/Linux > >>> DISTRIB_ID=Ubuntu > >>> DISTRIB_RELEASE=14.04 > >>> DISTRIB_CODENAME=trusty > >>> DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS" > >>> NAME="Ubuntu" > >>> VERSION="14.04.1 LTS, Trusty Tahr" > >>> ID=ubuntu > >>> ID_LIKE=debian > >>> PRETTY_NAME="Ubuntu 14.04.1 LTS" > >>> VERSION_ID="14.04" > >>> HOME_URL="http://www.ubuntu.com/"; > >>> SUPPORT_URL="http://help.ubuntu.com/"; > >>> BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"; > >>> > >>> $ sudo /var/ossec/bin/ossec-logtest -V > >>> > >>> OSSEC HIDS v2.8 - Trend Micro Inc. > >>> > >>> This program is free software; you can redistribute it and/or modify > >>> it under the terms of the GNU General Public License (version 2) as > >>> published by the Free Software Foundation. For more details, go to > >>> http://www.ossec.net/main/license/ > >>> > >>> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
