Hi, We recently migrated one of our OSSEC instance to a new server. We are using Linux(CentOS) as the platform. Post migration, we noticed that none of the agents were connected to the server and agents had the following error in the logs:
2016/09/15 09:05:56 ossec-agentd: INFO: Trying to connect to server (X.X.X.X:1514). 2016/09/15 09:05:56 ossec-agentd: INFO: Using IPv4 for: X.X.X.X . 2016/09/15 09:05:57 ossec-agentd(1214): WARN: Problem receiving message from X.X.X.X. 2016/09/15 09:06:06 ossec-agentd(1214): WARN: Problem receiving message from X.X.X.X We were able to fix this by removing the files under /var/ossec/queue/rids ( on the agent ), corresponding agent file on server then doing the restarts. Agent immediately connected after this, but I wanted to know which steps could have caused this to happen? There are 2 agents which did connect by themselves without needing the fix, but it took few hours. Others are still in the error state and most likely will require the manual correction. Entire directory structure was copied as it is from the old server, followed by OSSEC install over those files by choosing upgrade option. The content and permissions on these RIDS files were not changed during the copy and IP address for the server is the same. It would be good to know what goes on between agent-server as far as these counters are concerned and if there is a way to avoid this manual fix? Many Thanks, ~ Abhi -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
