Hi Michael,
It looks like that you reinstalled the server (without using the upgrade
option) and updated the agents. By doing so, you removed the "rids"
directory from the server, but not from the agents (I maybe wrong,
but that's what looks like).
Basically, every agent (and the server) keeps inside queue/rids a counter
of all the messages sent and received. We do that to proctect against
replay attacks (someone copying the encrypted event and sending it
over and over).
From your agent log, I see that it has saved the counter 8-9033, while
the server is sending 0-6, which will be considered duplicated..
Since you don't have any firewall in the middle and the connection
looks good, I would suggest you to do the following:
-On every agent:
-- stop ossec
-- go to: /var/ossec/queue/rids (or ossec-agent/rids on Windows) and
remove every file in there.
-Go to the server:
-- Stop ossec
-- Remove the every file under rids too.
--Restart the server and the agents.
To avoid this problem from ever happening again, make sure to:
-Always use the update option (when updating). Do not remove and
reinstall the ossec server, unless you plan to do the same for all agents.
-Do not re-use the same agent key between multiple agents or the
same agent key after you remove/re-install an agent. If you use
the "update" options everything should just work.
Hope it helps .. Let us know if it fixes or not the problem.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 1/10/07, Michael Starks <[EMAIL PROTECTED]> wrote:
Daniel Cid wrote:
>
> We have a v1.0 beta available to anyone interested in looking at the
> new features and testing it for problems. It has numerous new features,
> including:
I was having problems with client-server communication so I decided to
try to upgrade to see if it would fix things.
Previous to the upgrade, client were displaying:
2007/01/09 22:26:42 ossec-agentd(4101): Waiting for server reply (not
started).
2007/01/09 22:27:14 ossec-agentd: Duplicate error: global: 0, local: 6,
saved global: 8, saved local:9033
2007/01/09 22:27:14 ossec-agentd(1407): Duplicated counter for '<client
IP>'.
2007/01/09 22:27:14 ossec-agentd(1214): Problem receiving message from
<Server IP>.
I tried various things, such as removing and re-adding keys, stopping
both server and agent and checking for hung processes, and removing file
in the /rids directory. Nothing worked.
Since I upgraded, the client displays: 2007/01/09 23:49:06
ossec-logcollector: Process locked. Waiting for permission... I suspect
maybe it's the same problem with a different error?
I have verified with nc that UDP 1514 is fine from client-server, and
when I run tcpdump on the server I see the UDP datagrams come through
periodically. But the server doesn't respond. The server has the port
open (by OSSEC) and seems ready to accept connections. The issue has to
be on the server side since all of my agents are now experiencing this
problem.
