Hi Dan, When we add agents, this is what we run on the agents:
/var/ossec/bin/agent-auth -m <IP> -p 1515 /etc/init.d/ossec/ossec-hids restart I've confirmed via tcmpdump the agents are connecting over 1514. We also tried 'A <FQDN here>' at the end of the first command above, but have the same result. Here's what the agents are running: *root@testlabex2* ./ossec-control status ossec-logcollector is running... ossec-syscheckd is running... ossec-agentd is running... ossec-execd is running... We are running version 2.8.2-49 On Tue, Dec 22, 2015 at 8:09 AM, dan (ddp) <[email protected]> wrote: > On Mon, Dec 21, 2015 at 9:26 AM, Jamey B <[email protected]> wrote: > > Hi Dan, > > > > When we use manage_agents and export the key to the agent, the agent > works > > fine. We've had success this way, but obviously it's tedious for over > 5000 > > servers. Isn't this similar how authd works? I'm wondering if there's > > something we're not executing after the agent gets a key. > > > > I've regenerated the SSL key on the server (somehow it was missing), so > > agents no longer have issues connecting for their key -- this is what > caused > > all the agent alerts a few posts ago. We are following the guide below, > but > > the agents just don't connect after getting their key: > > > > > http://dcid.me/blog/2011/01/automatically-creating-and-setting-up-the-agent-keys/ > > > > > That was just part of the troubleshooting process. We now know that > agents CAN connect and work. So we have eliminated one issue. Only a > million more to go! > > I might have missed it in the threat, but what version of OSSEC are you > using? > When you run ossec-authd, what options are you using? > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Sincerely, James Bearden III -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
