Your commandline prompt indicates that this is not the same machine that you were talking about in the previous post. Please look at the situation on adr318, whatever that box is.
From: [email protected] [mailto:[email protected]] On Behalf Of Jamey B Sent: Tuesday, December 15, 2015 7:06 AM To: [email protected] Subject: Re: [ossec-list] Clients authenticate, but don't connect (Corp env) Hi lostinthetubez, Yes, the client.keys file exists on the server and the client has the correct key. The permissions are as follows for /var/ossec/etc/: root@ccisprlx11 # ls -la ../etc/ total 136 dr-xr-x--- 3 root ossec 4096 Dec 14 17:23 . dr-xr-x--- 13 root ossec 4096 Dec 14 16:59 .. -r--r----- 1 root ossec 84 Dec 14 17:24 client.keys -r--r----- 1 root ossec 97786 Jun 10 2015 decoder.xml -r--r----- 1 root ossec 2842 Jun 10 2015 internal_options.conf -r--r----- 1 root ossec 3519 May 4 2010 localtime -r--r----- 1 root ossec 8360 Dec 14 16:59 ossec.conf -rw-r----- 1 root root 88 Dec 14 16:59 ossec-init.conf drwxrwx--- 2 root ossec 4096 Dec 14 16:59 shared Do you see anything odd with the permissions? On Mon, Dec 14, 2015 at 4:28 PM, lostinthetubez <[email protected] <mailto:[email protected]> > wrote: Looks like permissions or ownership are wrong on your client.keys file, which would certainly explain the agent not being able to connect. I assume you’ve checked that the client.keys file exists and contains the correct information for the agent you are using as an example here? >> 2015/12/14 07:31:08 ossec-agentd(1103): ERROR: Unable to open file >> '/etc/client.keys'. From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]> ] On Behalf Of Jamey B Sent: Monday, December 14, 2015 12:55 PM To: [email protected] <mailto:[email protected]> Subject: Re: [ossec-list] Clients authenticate, but don't connect (Corp env) Thanks for that, I think this is a bigger issue than I believed judging by the read out below from one of the agents not connecting. Do you think the command you provided will fix it? It seems the install or CONF file went wonky during the install, but the agent has been reinstalled multiple times. root@adr318 # cat /var/ossec/logs/ossec.log 2015/12/14 07:30:51 ossec-authd: INFO: Started (pid: 3787). 2015/12/14 07:30:58 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 2015/12/14 07:30:58 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... 2015/12/14 07:31:08 ossec-execd: INFO: Started (pid: 3875). 2015/12/14 07:31:08 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 2015/12/14 07:31:08 ossec-agentd(1410): INFO: Reading authentication keys file. 2015/12/14 07:31:08 ossec-agentd(1103): ERROR: Unable to open file '/etc/client.keys'. 2015/12/14 07:31:08 ossec-agentd(1750): ERROR: No remote connection configured. Exiting. 2015/12/14 07:31:08 ossec-logcollector(1103): ERROR: Unable to open file '/queue/ossec/.agent_info'. 2015/12/14 07:31:08 ossec-config(1756): ERROR: Duplicated directory given: '/etc'. 2015/12/14 07:31:08 ossec-config(1756): ERROR: Duplicated directory given: '/bin'. 2015/12/14 07:31:08 ossec-syscheckd(1103): ERROR: Unable to open file '/queue/ossec/.agent_info'. 2015/12/14 07:31:08 ossec-syscheckd(1103): ERROR: Unable to open file '/queue/ossec/.agent_info'. 2015/12/14 07:31:11 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 07:31:11 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 07:31:17 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 07:31:17 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2015/12/14 07:31:19 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 07:31:19 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 07:31:32 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 07:31:32 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2015/12/14 09:50:10 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 2015/12/14 09:50:10 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... 2015/12/14 09:50:20 ossec-execd: INFO: Started (pid: 15169). 2015/12/14 09:50:20 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 2015/12/14 09:50:20 ossec-agentd(1410): INFO: Reading authentication keys file. 2015/12/14 09:50:20 ossec-agentd(1103): ERROR: Unable to open file '/etc/client.keys'. 2015/12/14 09:50:20 ossec-agentd(1750): ERROR: No remote connection configured. Exiting. 2015/12/14 09:50:20 ossec-logcollector(1103): ERROR: Unable to open file '/queue/ossec/.agent_info'. 2015/12/14 09:50:20 ossec-config(1756): ERROR: Duplicated directory given: '/etc'. 2015/12/14 09:50:20 ossec-config(1756): ERROR: Duplicated directory given: '/bin'. 2015/12/14 09:50:20 ossec-syscheckd(1103): ERROR: Unable to open file '/queue/ossec/.agent_info'. 2015/12/14 09:50:20 ossec-syscheckd(1103): ERROR: Unable to open file '/queue/ossec/.agent_info'. 2015/12/14 09:50:23 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 09:50:23 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 09:50:29 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 09:50:29 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. 2015/12/14 09:50:31 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 09:50:31 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 09:50:44 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2015/12/14 09:50:44 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. On Mon, Dec 14, 2015 at 2:41 PM, Santiago Bassett <[email protected] <mailto:[email protected]> > wrote: Try disabling counters. They lose synchronization specially when agents are reinstalled. Edit /var/ossec/etc/internal_options.conf and set "remoted.verify_msg_id=0" Then restart ossec manager. On Mon, Dec 14, 2015 at 9:43 AM, Jamey B <[email protected] <mailto:[email protected]> > wrote: Hi everyone, I'm in a corporate environment, the environment we are deploying OSSEC to has around 1000 servers (I did the manual install and increased the agent limit). The firewall is allowing all UDP and TCP ports to pass through for our deployment. No traffic is being blocked to/from the OSSEC manager. We distributed OSSEC to an environment via Puppet and are able to get the agents to grab a client key over port 1515, but they are having issues connecting. A handful do eventually connect, but the majority don't, I don't see them come up in the OSSEC logs but they do appear as inactive agents. Any ideas as to why the majority of agents are not connecting, but do get their keys? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected] <mailto:[email protected]> . For more options, visit https://groups.google.com/d/optout. -- Sincerely, James Bearden III -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected] <mailto:[email protected]> . For more options, visit https://groups.google.com/d/optout. -- Sincerely, James Bearden III -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
