[ossec-list] Re: [2.9.3] Ossec remoted crashing

[700grm]

I found solution:



Ossec agents and server keep a counter of each message sent and received in 
files in .../ossec/queue/rids. This is a technique to prevent replay 
attacks. If the counters between agent and server don’t match you’ll see 
errors like this in the agents ossec.log file:


2019/02/25 04:27:04 ossec-remoted: WARN: Duplicate error: global: 8, local: 
7173, saved global: 8, saved local:7174
2019/02/25 04:27:04 ossec-remoted(1407): ERROR: Duplicated counter for 
'XXXXXXXXXXX'.
2019/02/25 05:03:27 ossec-remoted: WARN: Duplicate error: global: 63, 
local: 1834, saved global: 63, saved local:1835
2019/02/25 05:03:27 ossec-remoted(1407): ERROR: Duplicated counter for 
'XXXXXXXXXXXXXX'.
2019/02/25 05:34:45 ossec-syscheckd: INFO: Starting syscheck scan.
2019/02/25 05:45:40 ossec-syscheckd: INFO: Ending syscheck scan.
2019/02/25 09:29:15 ossec-remoted: WARN: Duplicate error: global: 64, 
local: 552, saved global: 64, saved local:553
2019/02/25 09:29:15 ossec-remoted(1407): ERROR: Duplicated counter for 
'XXXXXXXXXXX'.
2019/02/25 09:51:53 ossec-remoted: WARN: Duplicate error: global: 63, 
local: 9799, saved global: 63, saved local:9800
2019/02/25 09:51:53 ossec-remoted(1407): ERROR: Duplicated counter for 
'XXXXXXXXX'.
2019/02/25 10:53:34 ossec-execd(1314): INFO: Shutdown received. Deleting 
responses.

This normally happens when you restore the ossec files from a backup or you 
reinstall server or agents without performing an upgrade, this can also be 
caused by duplicate agent ID’s. The fix for this problem is:




On the agent that giving you troubles: 
     stop ossec
     go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and 
remove every file in there.
Go to the server:
     Stop ossec
     Remove the rids file with the same name as the agent id that is 
reporting errors.
Restart the server
Restart the agents.

700grm


On Tuesday, May 29, 2018 at 6:51:56 PM UTC+1, Cooper wrote:
>
> Hey all,
>
> One of my ossec-remoted processes is eating up a ton of RAM, to the point 
> that it eventually crashes.  Is there anyway to see what's going on or why 
> it's doing that?  I have around 1800 agents connected.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.