Hi Brian. It seems to be an Active Response issue. This message appears when AR fails to find the name of the agent among the registered agents. But the log should show the name of the agent, and it doesn't appear in the message. The problem isn't related to the network.
Could you find the alert that triggers this AR? If you can do that, find the name of the agent in the alert and make sure that this agent is properly registered (i.e. with the program manage_agents). Remoted saves the source IP of an agent when it receives a message. This is important, particularly if the agent is registered with "any" IP. In order to log the source IP you need to write the code into file src/remoted/secure.c. But if you registered the agent with an IP other than "any", then the source IP will always match the registered IP. I think that there is an issue when analysisd sends an active response to remoted. Hope it helps. Best regards. Victor Fernandez. On Thursday, July 7, 2016 at 8:03:46 AM UTC-7, BP9906 wrote: > > I'm facing an odd issue where we have some server partially configured > (dont ask) and so as a result the ossec server logs this every one in a > while. > > 2016/07/07 05:13:25 ossec-remoted(1320): ERROR: Agent '' not found. > > > I've enabled iptables logging, searched through all servers in those time > periods and found nothing. > > > I'm wondering how I can add a source IP address to the remoted logging? > > > > Thank you for your help > > Brian > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
