Hi, Thanks for all the help. Following steps resolved the issue.
0. removing the client.keys file, and the files in queue/rids, queue/agent-info queue/syscheck and queue/rootcheck 1. stopped ossec services on agent 2. purged ossec 3. removed all ossec references, directories. 4. reinstalled ossec agent On Thu, Feb 4, 2016 at 1:40 AM, Pedro S <[email protected]> wrote: > Hi, > > ossec-remoted should start by itself, if not, usually is because you don't > have any agents added. Try to run bin/manage_agents, add an example agent, > restart OSSEC and remoted should start. > > Check client.keys to verify if this "example agent" was added. Check > permissions of folders etc/ and queue/. > > On Wednesday, February 3, 2016 at 5:57:44 AM UTC+1, sandeep wrote: >> >> Hi Santiago, >> >> Thanks for the reply. >> >> I removed all the old files from the path you mentioned and restarted >> both master and agent services. Below are the logs i see - >> >> On Master - >> 2016/02/03 04:50:43 ossec-remoted(1408): ERROR: Invalid ID for the source >> ip: 'xxx.xxx.xxx.xxx'. >> 2016/02/03 04:50:49 ossec-remoted(1408): ERROR: Invalid ID for the source >> ip: 'xxx.xxx.xxx.xxx'. >> >> On Agent - >> 2016/02/03 04:48:35 ossec-agentd(4101): WARN: Waiting for server reply >> (not started). Tried: 'ossec.druva.com/yyy.yyy.yyy.yyy'. >> 2016/02/03 04:49:31 ossec-agentd: INFO: Trying to connect to server ( >> ossec.druva.com/yyy.yyy.yyy.yyy:1514). >> 2016/02/03 04:49:31 ossec-agentd: INFO: Using IPv4 for: yyy.yyy.yyy.yyy. >> >> I am trying this on AWS EC2 setup, Port 1514 is open and server is >> listening on same UDP port. OS is Ubuntu 14.04 LTS, Installation is done >> through repository on both master and agent. >> >> One more observation, when i restart ossec service all the services comes >> up without an issue but ossec-remoted doesn't start. I have to run >> "./ossec-remoted" command from /bin directory every time i do service >> restart. >> >> On Wed, Feb 3, 2016 at 12:28 AM, Santiago Bassett <[email protected]> >> wrote: >> >>> Hi Sandeep, >>> >>> those issues are probably not related to each other. Removing the >>> client.keys file, and the files in queue/rids, queue/agent-info >>> queue/syscheck and queue/rootcheck should be enough. >>> >>> Any error message in your agent or manager log files? >>> >>> On Mon, Feb 1, 2016 at 7:19 AM, sandeep <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> what should be the approach to delete all agent and respected entries >>>> to start from scratch ? >>>> >>>> I have a ossec server and 50+ agents which was in 'inactive' state. I >>>> decided to upgrade the server and client version (start as fresh). I moved >>>> client.keys and all files from rids directory and added one new client >>>> manually, But it fails to communicate to server. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Regards, >> Sandeep >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Regards, Sandeep -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
