[ossec-list] Re: [2.9.3] Ossec remoted crashing
I found solution: Ossec agents and server keep a counter of each message sent and received in files in .../ossec/queue/rids. This is a technique to prevent replay attacks. If the counters between agent and server don’t match you’ll see errors like this in the agents ossec.log file: 2019/02/25 04:27:04 ossec-remoted: WARN: Duplicate error: global: 8, local: 7173, saved global: 8, saved local:7174 2019/02/25 04:27:04 ossec-remoted(1407): ERROR: Duplicated counter for 'XXX'. 2019/02/25 05:03:27 ossec-remoted: WARN: Duplicate error: global: 63, local: 1834, saved global: 63, saved local:1835 2019/02/25 05:03:27 ossec-remoted(1407): ERROR: Duplicated counter for 'XX'. 2019/02/25 05:34:45 ossec-syscheckd: INFO: Starting syscheck scan. 2019/02/25 05:45:40 ossec-syscheckd: INFO: Ending syscheck scan. 2019/02/25 09:29:15 ossec-remoted: WARN: Duplicate error: global: 64, local: 552, saved global: 64, saved local:553 2019/02/25 09:29:15 ossec-remoted(1407): ERROR: Duplicated counter for 'XXX'. 2019/02/25 09:51:53 ossec-remoted: WARN: Duplicate error: global: 63, local: 9799, saved global: 63, saved local:9800 2019/02/25 09:51:53 ossec-remoted(1407): ERROR: Duplicated counter for 'X'. 2019/02/25 10:53:34 ossec-execd(1314): INFO: Shutdown received. Deleting responses. This normally happens when you restore the ossec files from a backup or you reinstall server or agents without performing an upgrade, this can also be caused by duplicate agent ID’s. The fix for this problem is: On the agent that giving you troubles: stop ossec go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and remove every file in there. Go to the server: Stop ossec Remove the rids file with the same name as the agent id that is reporting errors. Restart the server Restart the agents. 700grm On Tuesday, May 29, 2018 at 6:51:56 PM UTC+1, Cooper wrote: > > Hey all, > > One of my ossec-remoted processes is eating up a ton of RAM, to the point > that it eventually crashes. Is there anyway to see what's going on or why > it's doing that? I have around 1800 agents connected. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: [2.9.3] Ossec remoted crashing
Any solution? I have the same issue with OSSEC 3.1 it is going to run for 2-3 days, and without any error it will crash I have OSSEC Master RH installed on VM with 8GB of memory OSSEC consumes almost all memory, only 16 agents are connected. All settings are default, with only one exceptions I am logging all events with parameter "logall" Any solution? On Tuesday, May 29, 2018 at 6:51:56 PM UTC+1, Cooper wrote: > > Hey all, > > One of my ossec-remoted processes is eating up a ton of RAM, to the point > that it eventually crashes. Is there anyway to see what's going on or why > it's doing that? I have around 1800 agents connected. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] From where OSSEC client is pulling configuration ?
Hi, I have situation where any time I reimport OSSEC 3.1 configuration to a client on Red Hat, it creates automatically a file in */opt/ossec/etc/shared/agent.conf* which I have to delete every time. Because I am going to get a message: Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)... Started ossec-execd... 2019/01/29 11:24:23 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 Started ossec-agentd... 2019/01/29 11:24:23 ossec-logcollector: Remote commands are not accepted from the manager. Ignoring it on the agent.conf 2019/01/29 11:24:23 ossec-logcollector(1202): ERROR: Configuration error at '/opt/ossec/etc/shared/agent.conf'. Exiting. Started ossec-logcollector... 2019/01/29 11:24:23 ossec-syscheckd(1756): ERROR: Duplicated directory given: '/etc'. 2019/01/29 11:24:23 ossec-syscheckd(1756): ERROR: Duplicated directory given: '/bin'. Started ossec-syscheckd... Completed. If I understand correctly, this file is allows to override global configuration. 1. However why OSSEC client need these two files, I always put the same config in both of them * /var/ossec/etc/ossec-agent.conf * * /var/ossec/etc/ossec.con*f 2. There is any way to configure ossec configuration on MASTER, and it will be pulled automatically by clients or I have to reconfigure every client separably for every system: Windows, Red Hat and Ubuntu. Thx in advance -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Ossec agent logs to two ossec server's / sensors
Hi Dan, I am trying to look for configuration file where I can increase 30 minutes interval, but cannot find it - "but an agent will failover to a second server after a while (30 minutes?). " On Friday, July 6, 2018 at 1:11:43 PM UTC+1, dan (ddpbsd) wrote: > > On Fri, Jul 6, 2018 at 3:43 AM, Shaikh S. > wrote: > > Hello Folks, > > > > Hope you're doing well. > > > > Is it possible to configure ossec agent to send the logs to two > different > > server's. for example if the DC ossec server get's down, is it possible > to > > forward the same agent logs to other DR ossec server. > > (Active / Passive monitoring ) > > > > You can't send to both at the same time, but an agent will failover to > a second server after a while (30 minutes?). > I'm hoping the virgil security noisesocket work helps with this. > > > Any help will be greatful. > > > > Thanks in advance !!! > > > > > > Regards, > > Shaikh S. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Forwarding Linux syslogs to syslog server
Hi, I am new to the OSSEC. I am confused about forwarding logs. Does OSSEC client collects logs from /var/log/messages and forwards them to the ossec server /var/log/messages? Or should be log forwarding configured in rsyslog on Red Hat to forward all logs to rsyslog server? Thx in advance Regards V -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
