Before doing what I said above, check if your client.keys doesn't have duplicated IPs.
On Monday, June 20, 2016 at 9:35:12 AM UTC+2, Jesus Linares wrote: > > Hi Tahir, > > It could be an issue with the keys. OSSEC (agents and manager) keep a > counter of each message sent and received in /var/ossec/queue/rids. This is > a technique to prevent replay attacks. Let's try the following: > > - In an agent of your particular subnet: stop it and go to > /var/ossec/queue/rids and remove every file in there. > - In the manager: stop it and remove the rids file with the same name > as the agent id that is reporting errors. > - Restart the manager and the agent. > > Then, review the ossec.log of the agent to see what happens. > > In case that this works, you will need to do the same in each agent. Also, > if you don't need the feature to prevent replay attacks, you can disable it > changing *remoted.verify_msg_id* from 1 to 0 in > /var/ossec/etc/internal_options.conf. > > Regards. > > On Friday, June 17, 2016 at 12:45:46 PM UTC+2, dan (ddpbsd) wrote: >> >> On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz <[email protected]> wrote: >> > Thanks. I am seeing this in the alerts.log for the ones not connecting, >> I >> > mean they seem to be able to connect in network terms but not the OSSEC >> > server instance process: >> > ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. >> > ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. >> > >> > Is there something we are not doing to allow these particular agents to >> > connect - a key file etc? >> > >> >> Is that IP an IP you expect an agent to come from? >> Did you duplicate IPs when adding agents in manage_agents? >> >> > >> > >> > >> > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: >> >> >> >> It should work with port 1514 UDP. First, check if you have >> connectivity >> >> between agents and manager (ping, telnet, tcpdump...) and review your >> >> network settings (routers, firewall rules, etc). Then, check out the >> >> ossec.log of each agent to see what it is the issue. >> >> >> >> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: >> >>> >> >>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz <[email protected]> >> wrote: >> >>> > We have an OSSEC server located in one particular subnet and the >> >>> > majority of >> >>> > the agents are located in the same subnet and work fine. >> >>> > However, we have a few OSSEC agents located in a different subnet >> and >> >>> > they >> >>> > are having problems being able to connect to the server. >> >>> > >> >>> > We have opened up port 1514 UDP between subnets for ingress and >> egress >> >>> > traffic. >> >>> > >> >>> > Is there anything that we should do to allow server and agent >> >>> > communication? >> >>> > >> >>> >> >>> Do you see the traffic on the server from the hosts that are having >> >>> issues? >> >>> Do the source IPs match your expectations? >> >>> >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> send >> >>> > an >> >>> > email to [email protected]. >> >>> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
