I'd like to see answers for that as well, since I have a similar problem Em terça-feira, 19 de julho de 2016 11:13:50 UTC-3, Quintin Beukes escreveu: > > Hi, > > A few days ago some of my OSSEC agents started going offline and stop > sending alerts, and then a long while after come back online again like > nothing's wrong. Restarting the agents don't help fix the offline status. > This affects both agents running through a router/firewall to reach the > server, and agents running in the same subnet as the server. > > I removed all iptables filters and did a tcpdump on both offline and > online agents, but couldn't notice anything out of the ordinary. > > Here are packets from an offline agent showing successful traffic from > server to client and vice versa, as well as some curious port unreachable > errors. Even though there is traffic, the agent shows as offline and no > alerts are generated for events on this agent. > > OSSEC Server IP: 10.10.12.171 > Agent IP: 10.10.13.8 > > agent_control -l: > ID: 019, Name: devjerm1, IP: 10.10.13.8, Disconnected > > tcpdump: > 15:47:36.515777 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port > 58989 unreachable, length 109 > 15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 > 15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73 > 15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port > 58989 unreachable, length 109 > 15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 > 15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 > 15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 > 15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 > 15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 > 15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 > 15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 > 15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 > 15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 > > Any insights are appreciated. > > Quintin >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
