Hi, A few days ago some of my OSSEC agents started going offline and stop sending alerts, and then a long while after come back online again like nothing's wrong. Restarting the agents don't help fix the offline status. This affects both agents running through a router/firewall to reach the server, and agents running in the same subnet as the server.
I removed all iptables filters and did a tcpdump on both offline and online agents, but couldn't notice anything out of the ordinary. Here are packets from an offline agent showing successful traffic from server to client and vice versa, as well as some curious port unreachable errors. Even though there is traffic, the agent shows as offline and no alerts are generated for events on this agent. OSSEC Server IP: 10.10.12.171 Agent IP: 10.10.13.8 agent_control -l: ID: 019, Name: devjerm1, IP: 10.10.13.8, Disconnected tcpdump: 15:47:36.515777 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 58989 unreachable, length 109 15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73 15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 58989 unreachable, length 109 15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 Any insights are appreciated. Quintin -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
