Hi Tahir, It could be an issue with the keys. OSSEC (agents and manager) keep a counter of each message sent and received in /var/ossec/queue/rids. This is a technique to prevent replay attacks. Let's try the following:
- In an agent of your particular subnet: stop it and go to /var/ossec/queue/rids and remove every file in there. - In the manager: stop it and remove the rids file with the same name as the agent id that is reporting errors. - Restart the manager and the agent. Then, review the ossec.log of the agent to see what happens. In case that this works, you will need to do the same in each agent. Also, if you don't need the feature to prevent replay attacks, you can disable it changing *remoted.verify_msg_id* from 1 to 0 in /var/ossec/etc/internal_options.conf. Regards. On Friday, June 17, 2016 at 12:45:46 PM UTC+2, dan (ddpbsd) wrote: > > On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz <[email protected] > <javascript:>> wrote: > > Thanks. I am seeing this in the alerts.log for the ones not connecting, > I > > mean they seem to be able to connect in network terms but not the OSSEC > > server instance process: > > ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. > > ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. > > > > Is there something we are not doing to allow these particular agents to > > connect - a key file etc? > > > > Is that IP an IP you expect an agent to come from? > Did you duplicate IPs when adding agents in manage_agents? > > > > > > > > > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: > >> > >> It should work with port 1514 UDP. First, check if you have > connectivity > >> between agents and manager (ping, telnet, tcpdump...) and review your > >> network settings (routers, firewall rules, etc). Then, check out the > >> ossec.log of each agent to see what it is the issue. > >> > >> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: > >>> > >>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz <[email protected]> > wrote: > >>> > We have an OSSEC server located in one particular subnet and the > >>> > majority of > >>> > the agents are located in the same subnet and work fine. > >>> > However, we have a few OSSEC agents located in a different subnet > and > >>> > they > >>> > are having problems being able to connect to the server. > >>> > > >>> > We have opened up port 1514 UDP between subnets for ingress and > egress > >>> > traffic. > >>> > > >>> > Is there anything that we should do to allow server and agent > >>> > communication? > >>> > > >>> > >>> Do you see the traffic on the server from the hosts that are having > >>> issues? > >>> Do the source IPs match your expectations? > >>> > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
