OSSEC counters were designed to avoid a repetition attack and consists on
numbering messages from agents and manager. The manager has a file "
/var/ossec/queue/rids/sender_counter" where stores its own counter. Just as
the server checks the agent counter, the agent also checks the manager
counter. Every machine (agents and manager) only accepts a message if its
counter is greater than the stored number.
In this case, if you migrated your manager but you didn't copy the rids
folder, the following occurred:
- Since the agents' counters didn't exist, the manager expected a
message numbered from 0. If it received the number "1000" (for example), it
toke it as correct and updated the agent's counter file.
- But agents kept the manager's counter (for example, 500). The manager
started to number its own messages from 0. When it tried to send the
connection confirmation message to the agent, this one rejected the message
because the counter was lower than the stored counter. If you'd do nothing,
some later time the manager would reach the counter 500 and could connect
I recommend you copy the file "/var/ossec/queue/rids/sender_counter" from
the manager to a new instance the next time you migrate a server. On the
other hand, you can also delete the agents' counter folder.
On Thursday, September 15, 2016 at 9:08:46 PM UTC+2, Abhi wrote:
> We recently migrated one of our OSSEC instance to a new server. We are
> using Linux(CentOS) as the platform. Post migration, we noticed that none
> of the agents were connected to the server and agents had the following
> error in the logs:
> 2016/09/15 09:05:56 ossec-agentd: INFO: Trying to connect to server
> 2016/09/15 09:05:56 ossec-agentd: INFO: Using IPv4 for: X.X.X.X .
> 2016/09/15 09:05:57 ossec-agentd(1214): WARN: Problem receiving message
> from X.X.X.X.
> 2016/09/15 09:06:06 ossec-agentd(1214): WARN: Problem receiving message
> from X.X.X.X
> We were able to fix this by removing the files under /var/ossec/queue/rids
> ( on the agent ), corresponding agent file on server then doing the
> restarts. Agent immediately connected after this, but I wanted to know
> which steps could have caused this to happen? There are 2 agents which did
> connect by themselves without needing the fix, but it took few hours.
> Others are still in the error state and most likely will require the manual
> Entire directory structure was copied as it is from the old server,
> followed by OSSEC install over those files by choosing upgrade option. The
> content and permissions on these RIDS files were not changed during the
> copy and IP address for the server is the same.
> It would be good to know what goes on between agent-server as far as these
> counters are concerned and if there is a way to avoid this manual fix?
> Many Thanks,
> ~ Abhi
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.