Hi Eyal,
this is a familiar problem that we have come across in the past as
well. The counter of the rids file can run out of sync, if the manager
and the respective agent have troubles exchanging control messages.
Have you perhaps reinstalled the manager or one of the agents recently?
You can fix your problem by following the below steps:
1. On every agent:
1. stop ossec
2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows)
and remove every file in there.
2. Go to the server:
1. Stop ossec
2. Remove the rids file with the same name as the agent id that
is reporting errors.
3. Restart the server
4. Restart the agents.
If you have reinstalled one of your machines recently, then we
recommend that you use the update option. Do not remove and reinstall
the ossec server, unless you plan to do the same for all agents.
Just a heads up, please refrain from using the same agent key between
multiple agents, or the same agent key after you removed/re-installed
an agent….
Reference:
http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors
Regards
-----------------------
Jose Luis Ruiz
Wazuh Inc.
[email protected]
On July 20, 2016 at 11:54:41 AM, eyal gershon ([email protected]) wrote:
Hey Everyone,
I am noticing some irregular activity in some of my OSSEC agents -
*A little bit about the system - *
My Deployment is on 2000~ servers managed from dedicated ossec manager.
I currently have 1600~ agents connected on a full basis and 400~ servers
who connect and disconnect all the time.
All the ports are opened (confirmation with NC and telnet)
On my management server I see the following error in the logs -
2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for
'**************'.
2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global:
I checked the /var/ossec/queue/rids and made sure there is only a single
entry in there and that entry is the same on both host and Management.
I made a double check and also compared client.keys on both servers,Same
Key and same Entry on both servers.
I did a key exchange manually between both servers just to make sure
Nothing was wrong in that section.
Same error.
Does anyone have an idea on how to continue?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
