On Wed, Feb 8, 2017 at 7:36 AM, Quintin Beukes <[email protected]> wrote: > Hi group, > > I'm trying to debug why my agent's are always showing disconnected. They > would work for a bit, and then randomly stop working. Some agents will > disconnect permanently, some intermittently switch between > connected/disconnected. Any advice on how to increase logging verbosity or > why my agents are not working properly. > > I enabled debugging which had no increase in logging verbosity. I did so by > editing internal_options.conf and setting > on server: remoted.debug=2 run "/var/ossec/bin/ossec-control enable debug" > and restart service > on agent: agent.debug=2, and restart service > > This is happening with many agents both outside and inside the OSSEC subnet. > I disabled both iptables firewalls for this test. > > Server IP: 10.10.12.171 > Agent IP: 10.10.12.170 > > Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 > UTC 2017 x86_64 x86_64 x86_64 GNU/Linux > Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24 UTC > 2017 x86_64 x86_64 x86_64 GNU/Linux > > My agent always shows disconnected: > ID: 003, Name: safetynet1, IP: 10.10.12.170, Disconnected > > The ossec server log doesn't show anything related. > > The ossec agent log just repeatedly shows: > ------------- > 2017/02/08 12:20:29 ossec-agentd: INFO: Trying to connect to server > ossec.jeoffice, port 1514. > 2017/02/08 12:20:29 INFO: Connected to ossec.jeoffice at address > 10.10.12.171, port 1514 > 2017/02/08 12:20:50 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: 'ossec.jeoffice'. > ------------- > > Content of server /etc/ossec-init.conf > ------------- > DIRECTORY="/var/ossec" > VERSION="2.9.0" > DATE="Wed Jan 25 09:55:39 EST 2017" > TYPE="server" > ------------- > > Content of server /etc/ossec-init.conf > ------------- > DIRECTORY="/var/ossec" > VERSION="2.9.0" > DATE="Wed Jan 25 09:55:39 EST 2017" > TYPE="agent" > ------------- > > A server tcpdump shows: > ------------- > 14:14:54.281902 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:14:59.280963 ARP, Request who-has 10.10.12.171 tell 10.10.12.170, length > 28 > 14:14:59.280987 ARP, Reply 10.10.12.171 is-at f2:1e:73:71:3e:c8, length 28 > 14:15:00.282405 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:04.282833 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:09.283445 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:15.284415 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:32.803559 IP 10.10.12.171.1514 > 10.10.12.170.50637: UDP, length 73 > ------------- > > An agent dump shows: > ------------- > 14:14:54.280480 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:00.281305 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:04.281914 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:09.282433 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:15.283291 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73 > 14:15:32.803186 IP 10.10.12.171.1514 > 10.10.12.170.50637: UDP, length 73 > ------------- >
So it looks like there is some communication, and if nothing about that agent shows up in the ossec server's ossec.log I'd think that things are working. Check the permissions of `/var/ossec/queue/agent-info/safetynet1-10.10.12.170` My agents info files are: -rw-r--r-- 1 ossecr ossec 137 Feb 8 13:45 buzzell-192.168.17.8 -rw-r--r-- 1 ossecr ossec 105 Feb 8 13:42 ipyr-172.16.17.10 -rw-r--r-- 1 ossecr ossec 107 Feb 8 13:43 junction-192.168.17.17 > Quintin > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
