On Tue, Dec 22, 2015 at 12:33 PM, Jamey B <[email protected]> wrote: > Hi Dan, > > When we add agents, this is what we run on the agents: > > /var/ossec/bin/agent-auth -m <IP> -p 1515
Ok, but I'd still like to know what options you're using with ossec-authd. > /etc/init.d/ossec/ossec-hids restart > > I've confirmed via tcmpdump the agents are connecting over 1514. We also > tried 'A <FQDN here>' at the end of the first command above, but have the > same result. > > > Here's what the agents are running: > > root@testlabex2 ./ossec-control status > > ossec-logcollector is running... > > ossec-syscheckd is running... > > ossec-agentd is running... > ossec-execd is running... > > > We are running version 2.8.2-49 > What errors are in the ossec.log on the agents? What about the server's ossec.log (possibly with debugging enabled)? > > On Tue, Dec 22, 2015 at 8:09 AM, dan (ddp) <[email protected]> wrote: >> >> On Mon, Dec 21, 2015 at 9:26 AM, Jamey B <[email protected]> wrote: >> > Hi Dan, >> > >> > When we use manage_agents and export the key to the agent, the agent >> > works >> > fine. We've had success this way, but obviously it's tedious for over >> > 5000 >> > servers. Isn't this similar how authd works? I'm wondering if there's >> > something we're not executing after the agent gets a key. >> > >> > I've regenerated the SSL key on the server (somehow it was missing), so >> > agents no longer have issues connecting for their key -- this is what >> > caused >> > all the agent alerts a few posts ago. We are following the guide below, >> > but >> > the agents just don't connect after getting their key: >> > >> > >> > http://dcid.me/blog/2011/01/automatically-creating-and-setting-up-the-agent-keys/ >> > >> >> >> That was just part of the troubleshooting process. We now know that >> agents CAN connect and work. So we have eliminated one issue. Only a >> million more to go! >> >> I might have missed it in the threat, but what version of OSSEC are you >> using? >> When you run ossec-authd, what options are you using? >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/7u88Yy5W7Rk/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > Sincerely, > > James Bearden III > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
