Hey Jose, There was no update or upgrade done. I performed the procedure you mentioned before but the results stayed the same.
I have around 1600 servers and 400 who do not connect. Do you have any other idea on why this happens? Or any thing else I can test? On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz <[email protected]> wrote: > Hi Eyal, > > > > this is a familiar problem that we have come across in the past as well. The > counter of the rids file can run out of sync, if the manager and the > respective agent have troubles exchanging control messages. > > Have you perhaps reinstalled the manager or one of the agents recently? > > > > You can fix your problem by following the below steps: > > > > 1. On every agent: > > > > 1. stop ossec > > 2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and > remove every file in there. > > > > 2. Go to the server: > > > > 1. Stop ossec > > 2. Remove the rids file with the same name as the agent id that is > reporting errors. > > > > 3. Restart the server > > 4. Restart the agents. > > > > If you have reinstalled one of your machines recently, then we recommend that > you use the update option. Do not remove and reinstall the ossec server, > unless you plan to do the same for all agents. > > Just a heads up, please refrain from using the same agent key between > multiple agents, or the same agent key after you removed/re-installed an > agent…. > > > Reference: > http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors > > > Regards > ----------------------- > Jose Luis Ruiz > Wazuh Inc. > [email protected] > > On July 20, 2016 at 11:54:41 AM, eyal gershon ([email protected]) > wrote: > > Hey Everyone, > > I am noticing some irregular activity in some of my OSSEC agents - > > *A little bit about the system - * > > My Deployment is on 2000~ servers managed from dedicated ossec manager. > I currently have 1600~ agents connected on a full basis and 400~ servers > who connect and disconnect all the time. > > All the ports are opened (confirmation with NC and telnet) > > On my management server I see the following error in the logs - > > 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for > '**************'. > 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global: > > > I checked the /var/ossec/queue/rids and made sure there is only a single > entry in there and that entry is the same on both host and Management. > I made a double check and also compared client.keys on both servers,Same > Key and same Entry on both servers. > > > I did a key exchange manually between both servers just to make sure > Nothing was wrong in that section. > Same error. > > > Does anyone have an idea on how to continue? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
