Hi Abhi.

OSSEC counters were designed to avoid a repetition attack and consists on 
numbering messages from agents and manager. The manager has a file "
/var/ossec/queue/rids/sender_counter" where stores its own counter. Just as 
the server checks the agent counter, the agent also checks the manager 
counter. Every machine (agents and manager) only accepts a message if its 
counter is greater than the stored number.

In this case, if you migrated your manager but you didn't copy the rids 
folder, the following occurred:

   - Since the agents' counters didn't exist, the manager expected a 
   message numbered from 0. If it received the number "1000" (for example), it 
   toke it as correct and updated the agent's counter file.
   - But agents kept the manager's counter (for example, 500). The manager 
   started to number its own messages from 0. When it tried to send the 
   connection confirmation message to the agent, this one rejected the message 
   because the counter was lower than the stored counter. If you'd do nothing, 
   some later time the manager would reach the counter 500 and could connect 
   with agents.

I recommend you copy the file "/var/ossec/queue/rids/sender_counter" from 
the manager to a new instance the next time you migrate a server. On the 
other hand, you can also delete the agents' counter folder.

Kind regards.

Victor Fernandez.

On Thursday, September 15, 2016 at 9:08:46 PM UTC+2, Abhi wrote:
> Hi,
> We recently migrated one of our OSSEC instance to a new server. We are 
> using Linux(CentOS) as the platform. Post migration, we noticed that none 
> of the agents were connected to the server and agents had the following 
> error in the logs:
> 2016/09/15 09:05:56 ossec-agentd: INFO: Trying to connect to server 
> (X.X.X.X:1514).
> 2016/09/15 09:05:56 ossec-agentd: INFO: Using IPv4 for: X.X.X.X .
> 2016/09/15 09:05:57 ossec-agentd(1214): WARN: Problem receiving message 
> from X.X.X.X.
> 2016/09/15 09:06:06 ossec-agentd(1214): WARN: Problem receiving message 
> from X.X.X.X
> We were able to fix this by removing the files under /var/ossec/queue/rids 
> ( on the agent ), corresponding agent file on server then doing the 
> restarts. Agent immediately connected after this, but I wanted to know 
> which steps could have caused this to happen? There are 2 agents which did 
> connect by themselves without needing the fix, but it took few hours. 
> Others are still in the error state and most likely will require the manual 
> correction.
> Entire directory structure was copied as it is from the old server, 
> followed by OSSEC install over those files by choosing upgrade option. The 
> content and permissions on these RIDS files were not changed during the 
> copy and IP address for the server is the same.
> It would be good to know what goes on between agent-server as far as these 
> counters are concerned and if there is a way to avoid this manual fix?
> Many Thanks,
> ~ Abhi


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to