Pedro, Maybe I spoke too soon. It worked for most of the agents, but I have a few stubborn ones having the same issues. I tried the steps you outline earlier that worked on the other agents, but not on these. Any other ideas for something I could be missing? Thanks again!
On Wednesday, August 3, 2016 at 1:48:40 PM UTC-4, Cal wrote: > > Pedro, > > Awesome! Your method worked flawlessly. Thanks! > > Cal > > On Tuesday, August 2, 2016 at 8:51:59 PM UTC-4, Pedro S wrote: >> >> Hi Cal, >> >> >> Try disabling counters. They lose synchronisation specially when agents >> are reinstalled. >> Edit /var/ossec/etc/internal_options.conf and set >> "remoted.verify_msg_id=0", both agent & manager. >> >> Enable debug mode on both hosts, open internal_options and set debug to >> level 2 (specially in remoted.debug variable). >> >> Sometimes the problem could be related with NAT, try adding the agent >> with "any" option and test if it works (use manage_agent and when prompting >> for IP enter "any"). >> >> Open etc/client.keys on OSSEC Manager (be careful! this file is critical) >> and remove duplicated entries, the agent will fail to connect if there is >> more than one entry with the same IP. >> >> Hope it helps, >> >> best regards, >> >> Pedro S. >> >> >> >> On Tuesday, August 2, 2016 at 2:08:14 PM UTC-7, Cal wrote: >>> >>> Hi all, >>> >>> Been debugging an issue for a few hours, thought I'd ask for another >>> opinion. >>> >>> The situation: >>> I have an OSSEC server with approximately 70 agents connected and 15 or >>> so that won't connect. >>> >>> Tested so far: >>> Tcpdump shows UDP packets from both OSSEC agents and server (running on >>> non-standard port 1520) >>> Traceroute from agent to server and other direction, no problem >>> Can ping the server from agent >>> Can ping the agent from server >>> >>> Ex: >>> server: >>> 15:51:00.135367 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length >>> 73 >>> >>> agent: >>> 15:51:00.135916 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length >>> 73 >>> >>> I've tried re-adding the keys to agents several times. Enabled debugging >>> on server, but only noted logs are from the agent: >>> 2016/08/02 15:56:39 ossec-agentd: INFO: Trying to connect to server >>> (172.28.29.XX:1520). >>> 2016/08/02 15:56:39 ossec-agentd: INFO: Using IPv4 for: 172.28.29.XX >>> >>> Any ideas where to look next? I've also tried removing the agents, >>> re-adding, re-installing, etc. >>> >>> Thank you! >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
