Hi lostinthetubez, Yes, the client.keys file exists on the server and the client has the correct key. The permissions are as follows for /var/ossec/etc/:
root@ccisprlx11 # ls -la ../etc/ total 136 dr-xr-x--- 3 root ossec 4096 Dec 14 17:23 . dr-xr-x--- 13 root ossec 4096 Dec 14 16:59 .. -r--r----- 1 root ossec 84 Dec 14 17:24 client.keys -r--r----- 1 root ossec 97786 Jun 10 2015 decoder.xml -r--r----- 1 root ossec 2842 Jun 10 2015 internal_options.conf -r--r----- 1 root ossec 3519 May 4 2010 localtime -r--r----- 1 root ossec 8360 Dec 14 16:59 ossec.conf -rw-r----- 1 root root 88 Dec 14 16:59 ossec-init.conf drwxrwx--- 2 root ossec 4096 Dec 14 16:59 shared Do you see anything odd with the permissions? On Mon, Dec 14, 2015 at 4:28 PM, lostinthetubez <[email protected]> wrote: > Looks like permissions or ownership are wrong on your client.keys file, > which would certainly explain the agent not being able to connect. I assume > you’ve checked that the client.keys file exists and contains the correct > information for the agent you are using as an example here? > > > > >> 2015/12/14 07:31:08 ossec-agentd(1103): ERROR: Unable to open file > '/etc/client.keys'. > > > > > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Jamey B > *Sent:* Monday, December 14, 2015 12:55 PM > *To:* [email protected] > *Subject:* Re: [ossec-list] Clients authenticate, but don't connect (Corp > env) > > > > Thanks for that, I think this is a bigger issue than I believed judging by > the read out below from one of the agents not connecting. Do you think the > command you provided will fix it? It seems the install or CONF file went > wonky during the install, but the agent has been reinstalled multiple times. > > > > > > > > > > root@adr318 # cat /var/ossec/logs/ossec.log > > 2015/12/14 07:30:51 ossec-authd: INFO: Started (pid: 3787). > > 2015/12/14 07:30:58 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > > 2015/12/14 07:30:58 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > > 2015/12/14 07:31:08 ossec-execd: INFO: Started (pid: 3875). > > 2015/12/14 07:31:08 ossec-agentd: INFO: Using notify time: 600 and max > time to reconnect: 1800 > > 2015/12/14 07:31:08 ossec-agentd(1410): INFO: Reading authentication keys > file. > > 2015/12/14 07:31:08 ossec-agentd(1103): ERROR: Unable to open file > '/etc/client.keys'. > > 2015/12/14 07:31:08 ossec-agentd(1750): ERROR: No remote connection > configured. Exiting. > > 2015/12/14 07:31:08 ossec-logcollector(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 07:31:08 ossec-config(1756): ERROR: Duplicated directory given: > '/etc'. > > 2015/12/14 07:31:08 ossec-config(1756): ERROR: Duplicated directory given: > '/bin'. > > 2015/12/14 07:31:08 ossec-syscheckd(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 07:31:08 ossec-syscheckd(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 07:31:11 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:11 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:17 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:17 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > 2015/12/14 07:31:19 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:19 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:32 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 07:31:32 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > 2015/12/14 09:50:10 ossec-execd(1314): INFO: Shutdown received. Deleting > responses. > > 2015/12/14 09:50:10 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > > 2015/12/14 09:50:20 ossec-execd: INFO: Started (pid: 15169). > > 2015/12/14 09:50:20 ossec-agentd: INFO: Using notify time: 600 and max > time to reconnect: 1800 > > 2015/12/14 09:50:20 ossec-agentd(1410): INFO: Reading authentication keys > file. > > 2015/12/14 09:50:20 ossec-agentd(1103): ERROR: Unable to open file > '/etc/client.keys'. > > 2015/12/14 09:50:20 ossec-agentd(1750): ERROR: No remote connection > configured. Exiting. > > 2015/12/14 09:50:20 ossec-logcollector(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 09:50:20 ossec-config(1756): ERROR: Duplicated directory given: > '/etc'. > > 2015/12/14 09:50:20 ossec-config(1756): ERROR: Duplicated directory given: > '/bin'. > > 2015/12/14 09:50:20 ossec-syscheckd(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 09:50:20 ossec-syscheckd(1103): ERROR: Unable to open file > '/queue/ossec/.agent_info'. > > 2015/12/14 09:50:23 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:23 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:29 ossec-logcollector(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:29 ossec-logcollector(1211): ERROR: Unable to access > queue: '/var/ossec/queue/ossec/queue'. Giving up.. > > 2015/12/14 09:50:31 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:31 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:44 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. > > 2015/12/14 09:50:44 ossec-rootcheck(1211): ERROR: Unable to access queue: > '/var/ossec/queue/ossec/queue'. Giving up.. > > > > > > > > > > > > > > On Mon, Dec 14, 2015 at 2:41 PM, Santiago Bassett < > [email protected]> wrote: > > Try disabling counters. They lose synchronization specially when agents > are reinstalled. > > > > Edit /var/ossec/etc/internal_options.conf and set "remoted.verify_msg_id=0" > > > > Then restart ossec manager. > > > > > > > > On Mon, Dec 14, 2015 at 9:43 AM, Jamey B <[email protected]> wrote: > > Hi everyone, > > > > I'm in a corporate environment, the environment we are deploying OSSEC to > has around 1000 servers (I did the manual install and increased the agent > limit). The firewall is allowing all UDP and TCP ports to pass through for > our deployment. No traffic is being blocked to/from the OSSEC manager. > > > > We distributed OSSEC to an environment via Puppet and are able to get the > agents to grab a client key over port 1515, but they are having issues > connecting. A handful do eventually connect, but the majority don't, I > don't see them come up in the OSSEC logs but they do appear as inactive > agents. > > > > > > Any ideas as to why the majority of agents are not connecting, but do get > their keys? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > Sincerely, > > James Bearden III > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Sincerely, James Bearden III -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
