Thanks Victor. I found an AR with <agent_id></agent_id>. Its been like that for a while, so apparently we had a server fire on the rule related. I removed the AR because its no longer being used, which is why the agent_id was empty.
On Thursday, July 7, 2016 at 1:27:19 PM UTC-5, Victor Fernandez wrote: > > Hi Brian. > > It seems to be an Active Response issue. This message appears when AR > fails to find the name of the agent among the registered agents. But the > log should show the name of the agent, and it doesn't appear in the > message. The problem isn't related to the network. > > Could you find the alert that triggers this AR? If you can do that, find > the name of the agent in the alert and make sure that this agent is > properly registered (i.e. with the program manage_agents). > > Remoted saves the source IP of an agent when it receives a message. This > is important, particularly if the agent is registered with "any" IP. In > order to log the source IP you need to write the code into file > src/remoted/secure.c. But if you registered the agent with an IP other > than "any", then the source IP will always match the registered IP. > > I think that there is an issue when analysisd sends an active response to > remoted. > > Hope it helps. > > Best regards. > > Victor Fernandez. > > > On Thursday, July 7, 2016 at 8:03:46 AM UTC-7, BP9906 wrote: >> >> I'm facing an odd issue where we have some server partially configured >> (dont ask) and so as a result the ossec server logs this every one in a >> while. >> >> 2016/07/07 05:13:25 ossec-remoted(1320): ERROR: Agent '' not found. >> >> >> I've enabled iptables logging, searched through all servers in those time >> periods and found nothing. >> >> >> I'm wondering how I can add a source IP address to the remoted logging? >> >> >> >> Thank you for your help >> >> Brian >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
