Hi! I am facing the same problem. Out of 40 agents , 3 agents are behaving like this. It shows 'Never Connected' in server even though I am receiving alerts for these 3 agents. I created file in /var/ossec/queue/agent-info. It made them 'Active' but then agents got disconnected within an hour.
On Thursday, 9 October 2014 00:42:29 UTC+5:30, dan (ddpbsd) wrote: > > On Wed, Oct 8, 2014 at 3:09 PM, Abhi <[email protected] <javascript:>> > wrote: > > Thanks Dan. > > > > The file was not present for this agent. When I created the file > manually, > > now it is being reported as Active. > > > > This brings up another question. Is the presence of this file the only > thing > > needed to determine status of an Agent? File contains only basic > information > > about the agent. Is there any other location where OSSEC keeps > information > > such as last message received from the agent etc.. > > > > I don't know off hand. I don't think it records that information, but > I haven't looked into it either. > > > Thanks again, > > > > Abhi > > > > On Wednesday, October 8, 2014 2:37:02 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Wed, Oct 8, 2014 at 2:25 PM, Abhi <[email protected]> wrote: > >> > Hi, > >> > > >> > We are using automated scripts through Chef to instal OSSEC and use > >> > ossec-authd to control key exchange. After a recent install, the > Agent > >> > is > >> > sending the alerts correctly, but OSSEC(ossec_agent_control) still > >> > reports > >> > that the agent has "Never Connected". I have verified that it's same > >> > reporting host in both type of alerts. > >> > > >> > This agent was not added manually.. It was connected using > agent-auth. > >> > > >> > I verified using ./agent-control and there too, agent is listed as > >> > "Never > >> > Connected". Is there a way to find out what is causing this mismatch. > We > >> > rely on messages from ossec_agent_control for creating Splunk > >> > dashboards, > >> > giving health and current status for agents. > >> > > >> > >> Make sure there aren't any errors in the ossec.log on the agent or > >> manager. > >> Check /var/ossec/queue/agent-info. There should be a file there for > >> this agent. You could either try deleting it and restarting the > >> agent's OSSEC processes or maybe checking its permissions. > >> > >> > Thanks, > >> > > >> > Abhijit > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
