I have enabled the debug logging as you described, and additionally set the remoted.debug=2 and logcollector.debug=2 in internal_options.conf (was the latter even necessary)?
I'll monitor the agents and report back here. Quintin On Wed, Jul 20, 2016 at 1:55 PM dan (ddp) <[email protected]> wrote: > On Tue, Jul 19, 2016 at 10:19 AM, Quintin Beukes <[email protected]> > wrote: > > The logs on the agent show this: > > 2016/07/19 16:18:27 ossec-agentd(4101): WARN: Waiting for server reply > (not > > started). Tried: 'ossec.jeoffice/10.10.12.171'. > > 2016/07/19 16:18:29 ossec-agentd: INFO: Trying to connect to server > > (ossec.jeoffice/10.10.12.171:1514). > > 2016/07/19 16:18:29 ossec-agentd: INFO: Using IPv4 for: 10.10.12.171 . > > 2016/07/19 16:18:44 ossec-logcollector: WARN: Process locked. Waiting for > > permission... > > > > Try turning on debug on the manager (`/var/ossec/bin/ossec-control > enable debug && /var/ossec/bin/ossec-control restart`) > > > Quintin > > > > On Tue, Jul 19, 2016 at 4:13 PM Quintin Beukes <[email protected]> > > wrote: > >> > >> Hi, > >> > >> A few days ago some of my OSSEC agents started going offline and stop > >> sending alerts, and then a long while after come back online again like > >> nothing's wrong. Restarting the agents don't help fix the offline > status. > >> This affects both agents running through a router/firewall to reach the > >> server, and agents running in the same subnet as the server. > >> > >> I removed all iptables filters and did a tcpdump on both offline and > >> online agents, but couldn't notice anything out of the ordinary. > >> > >> Here are packets from an offline agent showing successful traffic from > >> server to client and vice versa, as well as some curious port > unreachable > >> errors. Even though there is traffic, the agent shows as offline and no > >> alerts are generated for events on this agent. > >> > >> OSSEC Server IP: 10.10.12.171 > >> Agent IP: 10.10.13.8 > >> > >> agent_control -l: > >> ID: 019, Name: devjerm1, IP: 10.10.13.8, Disconnected > >> > >> tcpdump: > >> 15:47:36.515777 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port > >> 58989 unreachable, length 109 > >> 15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 > >> 15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73 > >> 15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port > >> 58989 unreachable, length 109 > >> 15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 > >> 15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73 > >> 15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 > >> 15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 > >> 15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 > >> 15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73 > >> 15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 > >> 15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 > >> 15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73 > >> > >> Any insights are appreciated. > >> > >> Quintin > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
