Hi Abhi, yes, OSSEC reads the files /var/ossec/queue/agent-info/* to know if agent is active or not. More information: https://groups.google.com/forum/#!topic/ossec-list/ijwdhMoXD4Q
Remove all files (so, now the state of every agent is Never connected), and restart manager and agents. After 30 minutes at the most, you should see the active agents. Also, review ossec.log. Regards. On Friday, May 6, 2016 at 4:13:52 PM UTC+2, Vani Paridhyani wrote: > > Hi! > > I am facing the same problem. Out of 40 agents , 3 agents are behaving > like this. It shows 'Never Connected' in server even though I am receiving > alerts for these 3 agents. I created file in /var/ossec/queue/agent-info. > It made them 'Active' but then agents got disconnected within an hour. > > > > On Thursday, 9 October 2014 00:42:29 UTC+5:30, dan (ddpbsd) wrote: >> >> On Wed, Oct 8, 2014 at 3:09 PM, Abhi <[email protected]> wrote: >> > Thanks Dan. >> > >> > The file was not present for this agent. When I created the file >> manually, >> > now it is being reported as Active. >> > >> > This brings up another question. Is the presence of this file the only >> thing >> > needed to determine status of an Agent? File contains only basic >> information >> > about the agent. Is there any other location where OSSEC keeps >> information >> > such as last message received from the agent etc.. >> > >> >> I don't know off hand. I don't think it records that information, but >> I haven't looked into it either. >> >> > Thanks again, >> > >> > Abhi >> > >> > On Wednesday, October 8, 2014 2:37:02 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Wed, Oct 8, 2014 at 2:25 PM, Abhi <[email protected]> wrote: >> >> > Hi, >> >> > >> >> > We are using automated scripts through Chef to instal OSSEC and use >> >> > ossec-authd to control key exchange. After a recent install, the >> Agent >> >> > is >> >> > sending the alerts correctly, but OSSEC(ossec_agent_control) still >> >> > reports >> >> > that the agent has "Never Connected". I have verified that it's same >> >> > reporting host in both type of alerts. >> >> > >> >> > This agent was not added manually.. It was connected using >> agent-auth. >> >> > >> >> > I verified using ./agent-control and there too, agent is listed as >> >> > "Never >> >> > Connected". Is there a way to find out what is causing this >> mismatch. We >> >> > rely on messages from ossec_agent_control for creating Splunk >> >> > dashboards, >> >> > giving health and current status for agents. >> >> > >> >> >> >> Make sure there aren't any errors in the ossec.log on the agent or >> >> manager. >> >> Check /var/ossec/queue/agent-info. There should be a file there for >> >> this agent. You could either try deleting it and restarting the >> >> agent's OSSEC processes or maybe checking its permissions. >> >> >> >> > Thanks, >> >> > >> >> > Abhijit >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
