On Mon, Sep 28, 2015 at 2:46 AM, theresa mic-snare <[email protected]> wrote: > hi guys, > > I have a problem with the agentd not being able to connect to the ossec > master on a couple of machines (linux and solaris) > > 2015/09/28 08:34:26 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '1.2.3.4'. > 2015/09/28 08:34:28 ossec-agentd: INFO: Trying to connect to server > (1.2.3.4:1514). > 2015/09/28 08:34:28 ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 . > 2015/09/28 08:34:49 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '1.2.3.4'. > 2015/09/28 08:35:09 ossec-agentd: INFO: Trying to connect to server > (1.2.3.4:1514). > 2015/09/28 08:35:09 ossec-agentd: INFO: Using IPv4 for: 1.2.3.4 . > 2015/09/28 08:35:11 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2015/09/28 08:35:11 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 2015/09/28 08:35:30 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '1.2.3.4'. > > the following processes are running on the agent: > root 25538 1 0 08:34:05 ? 0:00 > /var/ossec/bin/ossec-logcollector > root 25530 1 0 08:34:05 ? 0:00 > /var/ossec/bin/ossec-execd > root 25542 1 0 08:34:05 ? 0:00 > /var/ossec/bin/ossec-syscheckd > ossec 25534 1 0 08:34:05 ? 0:00 > /var/ossec/bin/ossec-agentd > > > the master is not "actively" blocking the requests, e.g by iptables or the > like. > for the master I'm using the ossec virtual appliance by the way. > > i have one agent successfully connected, which is in the same VLAN as the > master. > > i talked to my colleague who's managing the firewall, he said he doesn't see > any drops.... > > do you have any ideas, what could be causing the unsuccessful attempts?! >
Set the manager to debug mode (/var/ossec/bin/ossec-control enable debug), restart the processes, and look at the ossec.log for errors. Make sure the agent's IP address that was entered into manage_agents is where the packets appear to be coming from (no NAT in between). I guess make sure the packets are making it to the manager. > thanks, > theresa > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
