For sure that ACK "HC_STARTUP" is not reaching the agent and that is why it does not connect. So the manager is sending the startup and it has connectivity with the agent host but not with the agent software.
Confirm if the agent is listening at the right port, also you can use "strace" at agentd binary and inspect kernel calls to see what is happening, it will be something like: $ strace -ff -o log -s 20000 -p XXXX > where XXXX is the pid from ossec-agentd > and then > $ tail -f log.XXXX | grep IP_MANAGER Regards, Pedro S. On Wed, Oct 26, 2016 at 1:45 PM, Topper Bowers <[email protected]> wrote: > Thanks for the reply! I will try the counter thing right now. The manager > has this in the logs: > > DEBUG: Agent my-hostname sent HC_STARTUP from xx.xx.xx.xx > > So... I think that means it is receiving it on the right port. > > I've tried redoing agent-auth a few times on that host now. I've also > reinstalled ossec-agent once. > > On Wednesday, October 26, 2016 at 1:06:11 PM UTC+2, Pedro S wrote: >> >> Seems like the agent is waiting for the ACK (HC_ACK) control message but >> it is not receiving it (start_agent.c >> <https://github.com/wazuh/ossec-wazuh/blob/cb5c736b1ea053b5ccff888286460c93f99003ab/src/client-agent/start_agent.c#L229>), >> few things you can try: >> >> - Disable counters on both sides, manager and agent (internal_options: r >> emoted.verify_msg_id=0) >> - I can see how you are using a non default port 4214, verify it is UDP >> and Manager is listening to that port and agent is sending to that port. >> - Verify/add/generate a new key for the Agent. >> >> >> Regards, >> >> snaow. >> >> On Wed, Oct 26, 2016 at 11:59 AM, Topper Bowers <[email protected]> >> wrote: >> >>> Hello all, >>> >>> I'm using ossec 2.8.3 from wazzuh and I can't seem to get the agents to >>> talk to the host. It is exactly as described here: >>> https://botbot.me/freenode/ossec/2016-07-21/?msg=70001778&page=1. >>> >>> I've also put both the agent and the master into debug mode. I've also >>> run tcpdump on both the agent and the master... I see traffic flowing from >>> the agent to the master and I see the master responding to the agent... but >>> the agent just consistently says: >>> >>> 2016/10/26 09:56:24 ossec-agentd: INFO: Trying to connect to server >>> (X.X.X.X:4214). >>> >>> 2016/10/26 09:56:24 ossec-agentd: INFO: Using IPv4 for: X.X.X.X . >>> >>> 2016/10/26 09:56:45 ossec-agentd(1234): WARN: Waiting for server reply >>> (not started). Tried: 'X.X.X.X'. >>> >>> >>> (I removed IP address) >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
