Are you running out of network or disk speed? Eero
20.7.2016 10.39 ip. "eyal gershon" <[email protected]> kirjoitti: > Hey Jose, > > There was no update or upgrade done. > I performed the procedure you mentioned before but the results stayed the > same. > > I have around 1600 servers and 400 who do not connect. > > Do you have any other idea on why this happens? > Or any thing else I can test? > > > On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz <[email protected]> wrote: > >> Hi Eyal, >> >> >> >> this is a familiar problem that we have come across in the past as well. The >> counter of the rids file can run out of sync, if the manager and the >> respective agent have troubles exchanging control messages. >> >> Have you perhaps reinstalled the manager or one of the agents recently? >> >> >> >> You can fix your problem by following the below steps: >> >> >> >> 1. On every agent: >> >> >> >> 1. stop ossec >> >> 2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and >> remove every file in there. >> >> >> >> 2. Go to the server: >> >> >> >> 1. Stop ossec >> >> 2. Remove the rids file with the same name as the agent id that is >> reporting errors. >> >> >> >> 3. Restart the server >> >> 4. Restart the agents. >> >> >> >> If you have reinstalled one of your machines recently, then we recommend >> that you use the update option. Do not remove and reinstall the ossec >> server, unless you plan to do the same for all agents. >> >> Just a heads up, please refrain from using the same agent key between >> multiple agents, or the same agent key after you removed/re-installed an >> agent…. >> >> >> Reference: >> http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors >> >> >> Regards >> ----------------------- >> Jose Luis Ruiz >> Wazuh Inc. >> [email protected] >> >> On July 20, 2016 at 11:54:41 AM, eyal gershon ([email protected]) >> wrote: >> >> Hey Everyone, >> >> I am noticing some irregular activity in some of my OSSEC agents - >> >> *A little bit about the system - * >> >> My Deployment is on 2000~ servers managed from dedicated ossec manager. >> I currently have 1600~ agents connected on a full basis and 400~ servers >> who connect and disconnect all the time. >> >> All the ports are opened (confirmation with NC and telnet) >> >> On my management server I see the following error in the logs - >> >> 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for >> '**************'. >> 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global: >> >> >> I checked the /var/ossec/queue/rids and made sure there is only a single >> entry in there and that entry is the same on both host and Management. >> I made a double check and also compared client.keys on both servers,Same >> Key and same Entry on both servers. >> >> >> I did a key exchange manually between both servers just to make sure >> Nothing was wrong in that section. >> Same error. >> >> >> Does anyone have an idea on how to continue? >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
