On Tue, Jul 19, 2016 at 10:19 AM, Quintin Beukes <[email protected]> wrote: > The logs on the agent show this: > 2016/07/19 16:18:27 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: 'ossec.jeoffice/10.10.12.171'. > 2016/07/19 16:18:29 ossec-agentd: INFO: Trying to connect to server > (ossec.jeoffice/10.10.12.171:1514). > 2016/07/19 16:18:29 ossec-agentd: INFO: Using IPv4 for: 10.10.12.171 . > 2016/07/19 16:18:44 ossec-logcollector: WARN: Process locked. Waiting for > permission... >
Try turning on debug on the manager (`/var/ossec/bin/ossec-control enable debug && /var/ossec/bin/ossec-control restart`) > Quintin > > On Tue, Jul 19, 2016 at 4:13 PM Quintin Beukes <[email protected]> > wrote: >> >> Hi, >> >> A few days ago some of my OSSEC agents started going offline and stop >> sending alerts, and then a long while after come back online again like >> nothing's wrong. Restarting the agents don't help fix the offline status. >> This affects both agents running through a router/firewall to reach the >> server, and agents running in the same subnet as the server. >> >> I removed all iptables filters and did a tcpdump on both offline and >> online agents, but couldn't notice anything out of the ordinary. >> >> Here are packets from an offline agent showing successful traffic from >> server to client and vice versa, as well as some curious port unreachable >> errors. Even though there is traffic, the agent shows as offline and no >> alerts are generated for events on this agent. >> >> OSSEC Server IP: 10.10.12.171 >> Agent IP: 10.10.13.8 >> >> agent_control -l: >> ID: 019, Name: devjerm1, IP: 10.10.13.8, Disconnected >> >> tcpdump: >> 15:47:36.515777 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port >> 58989 unreachable, length 109 >> 15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 >> 15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73 >> 15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port >> 58989 unreachable, length 109 >> 15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 >> 15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 >> 15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 >> 15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 >> 15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 >> 15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 >> 15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 >> 15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 >> 15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 >> >> Any insights are appreciated. >> >> Quintin >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
