Thanks! Ok... so I turned off the counters and I get the same problem... agent doesn't see response from manager. This time on the agent, I turned on tcpdump:
``` tcpdump -n src host <managerip> and dst portrange 4501-65000 ``` Then when I received a reply from the manager, I immediately did an lsof -i :<portfromtcpcump> . Through that I confirmed that the agent was actually listening on the port with an output like: ``` [root@host ~]# lsof -i :60884 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ossec-age pi ossec 7u IPv4 627449120 0t0 UDP ip-man-ip-addr-ad.ec2.internal:60884->ip-this-host-ip-address.ec2.internal:fujitsu-dtcns ``` When I did the strace the grep of IP_MANAGER produced no results... but looking through the strace output I see some... ``` recvfrom(7, 0x7fffecdd6850, 6144, 64, 0, 0) = -1 EAGAIN (Resource temporarily unavailable) ``` There's a sendto right before that, but it's binary and I'm unsure of how sensitive that is to put on a mailing list. Topper On Wednesday, October 26, 2016 at 2:10:24 PM UTC+2, Pedro S wrote: > > For sure that ACK "HC_STARTUP" is not reaching the agent and that is why > it does not connect. > So the manager is sending the startup and it has connectivity with the > agent host but not with the agent software. > > Confirm if the agent is listening at the right port, also you can use > "strace" at agentd binary and inspect kernel calls to see what is > happening, it will be something like: > > $ strace -ff -o log -s 20000 -p XXXX >> where XXXX is the pid from ossec-agentd >> and then >> $ tail -f log.XXXX | grep IP_MANAGER > > > > Regards, > > Pedro S. > > On Wed, Oct 26, 2016 at 1:45 PM, Topper Bowers <[email protected] > <javascript:>> wrote: > >> Thanks for the reply! I will try the counter thing right now. The manager >> has this in the logs: >> >> DEBUG: Agent my-hostname sent HC_STARTUP from xx.xx.xx.xx >> >> So... I think that means it is receiving it on the right port. >> >> I've tried redoing agent-auth a few times on that host now. I've also >> reinstalled ossec-agent once. >> >> On Wednesday, October 26, 2016 at 1:06:11 PM UTC+2, Pedro S wrote: >>> >>> Seems like the agent is waiting for the ACK (HC_ACK) control message but >>> it is not receiving it (start_agent.c >>> <https://github.com/wazuh/ossec-wazuh/blob/cb5c736b1ea053b5ccff888286460c93f99003ab/src/client-agent/start_agent.c#L229>), >>> >>> few things you can try: >>> >>> - Disable counters on both sides, manager and agent (internal_options: r >>> emoted.verify_msg_id=0) >>> - I can see how you are using a non default port 4214, verify it is UDP >>> and Manager is listening to that port and agent is sending to that port. >>> - Verify/add/generate a new key for the Agent. >>> >>> >>> Regards, >>> >>> snaow. >>> >>> On Wed, Oct 26, 2016 at 11:59 AM, Topper Bowers <[email protected]> >>> wrote: >>> >>>> Hello all, >>>> >>>> I'm using ossec 2.8.3 from wazzuh and I can't seem to get the agents to >>>> talk to the host. It is exactly as described here: >>>> https://botbot.me/freenode/ossec/2016-07-21/?msg=70001778&page=1. >>>> >>>> I've also put both the agent and the master into debug mode. I've also >>>> run tcpdump on both the agent and the master... I see traffic flowing from >>>> the agent to the master and I see the master responding to the agent... >>>> but >>>> the agent just consistently says: >>>> >>>> 2016/10/26 09:56:24 ossec-agentd: INFO: Trying to connect to server >>>> (X.X.X.X:4214). >>>> >>>> 2016/10/26 09:56:24 ossec-agentd: INFO: Using IPv4 for: X.X.X.X . >>>> >>>> 2016/10/26 09:56:45 ossec-agentd(1234): WARN: Waiting for server reply >>>> (not started). Tried: 'X.X.X.X'. >>>> >>>> >>>> (I removed IP address) >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
