Dan/Jeff - thanks for the quick response! I know this sounds like a rookie problem, but I have run out of debugging tools:
In summary: 1) the pb. is with clients from other subnets, 2) I DO have connectivity via udp1514 *bi-directionally *(confirmed by nc) - I don't think any other ports are required for basic client/server communication. Let me know if otherwise. 3) I've extracted/added keys manually 4) I've iptables turned off (have connectivity, but nonetheless) 5) The only errors I see in the logs - client side - are 'waiting for server to reply (not started).' 6) No errors on server side - nothing revealed with debug on that was of any use. 7) bin/agent-control lists all the clients as Never Connected (except the one on same subnet/VPC) So, strange... I have a server & around 15 clients working in another AWS account - same chef cookbook. Any idea how to see what's going on? I'm running out of tools to debug this. Jim. The client side ossec-control doesn't take the enable debug option. Adding the debug flag Le mercredi 27 septembre 2017 08:44:42 UTC-4, dan (ddpbsd) a écrit : > > On Tue, Sep 26, 2017 at 12:41 PM, James Stallard > <jamess...@gmail.com <javascript:>> wrote: > > Help anyone: > > OK, I'm at a loss > > Running version: > > # ./ossec-analysisd -V > > OSSEC HIDS v2.8 - Trend Micro Inc. > > CentOS release 6.7 (Final) > > On AWS > > > > I've distributed the keys by hand via manage_agents > > and confirmed there is UDP connectivity from agent to server & back: > > > > Connection to aaa.zz.yy.xx 1514 port [udp/fujitsu-dtcns] succeeded! > > > > Yet I am still getting:: WARN: Waiting for server reply (not started). > > Tried: 'aaa.zz.yy.xx' > > The IP@ and port # on the agent is correct (in ossec.conf *and* in > > ossec.log) > > > > I do have one agent that connects - it's on the same VPC as the server, > so I > > suspect a connectivity issue, but I can connect (at least via nc) so I > don't > > get it. > > > > I also don't see anything in the logs that indicates a configuration > error- > > including with the debug flag set. > > > > Any suggestions on debugging this one? > > > > Enable debugging on the manager (`/var/ossec/bin/ossec-control enable > debug && /var/ossec/bin/ossec-control restart`). > Watch ossec.log to see if it complains. > Make sure there are no firewalls blocking the traffic. > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.