Re: [ossec-list] Agents not connecting to server after ossec server upgrade from 2.8.0 to 2.8.2

Mon, 31 Aug 2015 03:15:41 -0700 

Morning  - firstly I am completely new to this  but I had a similar issue after 
a new install, after a bit of digging I came across a post that had a solution 
that worked for my install and that was:

Turn off the agents on the clients
Remove the agents from the server.
Re-add the agent using the FQDN as opposed to the short 'lan' name
Add the IP with the subnet mask as in /26 of what ever you use
Assign an new ID
Export the key to the client
Restart both the client and the OSSEC server service

Like I said I'm new to this and you problem may be a little more complicated 
and beyond my skillset - so good luck.

________________________________
From: [email protected] <[email protected]> on behalf of 
Saulius Pabarska <[email protected]>
Sent: 31 August 2015 09:25
To: ossec-list
Subject: [ossec-list] Agents not connecting to server after ossec server 
upgrade from 2.8.0 to 2.8.2

I upgraded ossec server from 2.8 to 2.8.2 and all my windows agents cannot 
connect to server. Only ossec-server agent is able to connect.

2015/08/31 10:06:33 ossec-agent: INFO: Trying to connect to server 
(100.0.1.3:1514).
2015/08/31 10:06:33 ossec-agent: INFO: Using IPv4 for: 100.0.1.3 .
2015/08/31 10:06:54 ossec-agent(4101): WARN: Waiting for server reply (not 
started). Tried: '100.0.1.3'.
2015/08/31 10:10:32 ossec-agent: INFO: Trying to connect to server 
(100.0.1.3:1514).
2015/08/31 10:10:32 ossec-agent: INFO: Using IPv4 for: 100.0.1.3 .
2015/08/31 10:10:53 ossec-agent(4101): WARN: Waiting for server reply (not 
started). Tried: '100.0.1.3'.
2015/08/31 10:14:49 ossec-agent: INFO: Trying to connect to server 
(100.0.1.3:1514).
2015/08/31 10:14:49 ossec-agent: INFO: Using IPv4 for: 100.0.1.3 .
2015/08/31 10:15:10 ossec-agent(4101): WARN: Waiting for server reply (not 
started). Tried: '100.0.1.3'.
2015/08/31 10:19:24 ossec-agent: INFO: Trying to connect to server 
(100.0.1.3:1514).
2015/08/31 10:19:24 ossec-agent: INFO: Using IPv4 for: 100.0.1.3 .
2015/08/31 10:19:45 ossec-agent(4101): WARN: Waiting for server reply (not 
started). Tried: '100.0.1.3'.

Ossec.log

2015/08/31 11:18:32 ossec-testrule: INFO: Reading local decoder file.
2015/08/31 11:18:32 ossec-testrule: INFO: Started (pid: 2388).
2015/08/31 11:18:33 ossec-execd: INFO: Started (pid: 2419).
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading local decoder file.
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'rules_config.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'telnetd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'syslog_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'arpwatch_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'symantec-av_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'symantec-ws_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'vsftpd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'pure-ftpd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'proftpd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'ms_ftpd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'hordeimp_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'roundcube_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'wordpress_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'cimserver_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'vpopmail_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'vmpop3d_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'courier_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'web_appsec_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'apache_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'postgresql_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'firewall_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'cisco-ios_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'netscreenfw_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'sonicwall_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'postfix_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'sendmail_rules.xml'
2015/08/31 11:18:33 ossec-remoted: INFO: Started (pid: 2432).
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'mailscanner_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'dovecot_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'ms-exchange_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'racoon_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'vpn_concentrator_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'msauth_rules.xml'
2015/08/31 11:18:33 ossec-remoted(1501): ERROR: No IP or network allowed in the 
access list for syslog. No reason for running it. Exiting.
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'mcafee_av_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'trend-osce_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'ms-se_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'solaris_bsm_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'vmware_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'ms_dhcp_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'asterisk_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'attack_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'openbsd_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'clam_av_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 
'dropbear_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml'
2015/08/31 11:18:33 ossec-analysisd: INFO: Total rules enabled: '1313'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/mail/statistics'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: '/etc/svc/volatile'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/System32/LogFiles'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/WindowsUpdate.log'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/iis6.log'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/wbem/Logs'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/wbem/Repository'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Prefetch'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/SoftwareDistribution'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/config'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/spool'
2015/08/31 11:18:33 ossec-analysisd: INFO: Ignoring file: 
'C:\WINDOWS/system32/CatRoot'
2015/08/31 11:18:33 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
2015/08/31 11:18:33 ossec-analysisd: INFO: White listing IP: '10.52.36.10'
2015/08/31 11:18:33 ossec-analysisd: INFO: White listing IP: '10.52.36.11'
2015/08/31 11:18:33 ossec-analysisd: INFO: White listing IP: '10.30.48.20'
2015/08/31 11:18:33 ossec-analysisd: INFO: 4 IPs in the white list for active 
response.
2015/08/31 11:18:33 ossec-analysisd: INFO: White listing Hostname: 
'localhost.localdomain'
2015/08/31 11:18:33 ossec-analysisd: INFO: 1 Hostname(s) in the white list for 
active response.
2015/08/31 11:18:33 ossec-analysisd: INFO: Started (pid: 2423).
2015/08/31 11:18:34 ossec-monitord: INFO: Started (pid: 2443).
2015/08/31 11:18:36 ossec-testrule: INFO: Reading local decoder file.
2015/08/31 11:18:36 ossec-testrule: INFO: Started (pid: 2458).
2015/08/31 11:18:36 ossec-remoted: INFO: Started (pid: 2510).
2015/08/31 11:18:36 ossec-remoted(1501): ERROR: No IP or network allowed in the 
access list for syslog. No reason for running it. Exiting.
2015/08/31 11:18:38 ossec-syscheckd: INFO: Started (pid: 2439).
2015/08/31 11:18:38 ossec-rootcheck: INFO: Started (pid: 2439).
2015/08/31 11:18:38 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2015/08/31 11:18:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2015/08/31 11:18:38 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2015/08/31 11:18:38 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2015/08/31 11:18:38 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2015/08/31 11:18:39 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/messages'.
2015/08/31 11:18:39 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/secure'.
2015/08/31 11:18:39 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/maillog'.
2015/08/31 11:18:39 ossec-logcollector: INFO: Monitoring output of 
command(360): df -h
2015/08/31 11:18:39 ossec-logcollector: INFO: Monitoring full output of 
command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
2015/08/31 11:18:39 ossec-logcollector: INFO: Monitoring full output of 
command(360): last -n 5
2015/08/31 11:18:39 ossec-logcollector: INFO: Started (pid: 2428).
2015/08/31 11:18:39 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not 
accessible: 'Connection refused'.
2015/08/31 11:18:39 ossec-analysisd(1301): ERROR: Unable to connect to active 
response queue.
2015/08/31 11:18:39 ossec-analysisd: INFO: Connected to '/queue/alerts/execq' 
(exec queue)
2015/08/31 11:18:40 ossec-syscheckd: INFO: Started (pid: 2520).
2015/08/31 11:18:40 ossec-rootcheck: INFO: Started (pid: 2520).
2015/08/31 11:18:40 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2015/08/31 11:18:40 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2015/08/31 11:18:40 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2015/08/31 11:18:40 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2015/08/31 11:18:40 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2015/08/31 11:19:40 ossec-syscheckd: INFO: Starting syscheck scan (forwarding 
database).
2015/08/31 11:19:40 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).
2015/08/31 11:19:42 ossec-syscheckd: INFO: Starting syscheck scan (forwarding 
database).
2015/08/31 11:19:42 ossec-syscheckd: INFO: Starting syscheck database 
(pre-scan).


--

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
[email protected]<mailto:[email protected]>.
For more options, visit https://groups.google.com/d/optout.
________________________________
Please consider the environment before printing this email
This email is confidential and intended solely for the use of the individual to 
whom it is addressed. Any views or opinions made are solely those of the 
author. If you are not the intended recipient, be advised that you have 
received this email in error and that any use, dissemination, forwarding, 
printing or copying of this email is strictly prohibited. Please delete it and 
advise the sender directly.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to