Daniel Cid wrote:
Can you make sure that you are not using the same key for more than one agent? If you accidentaly used the same key for more than one you would be getting these errors... Also, make sure that there is no duplicated ids or agent names in your agent list (the manage_agents tool is supposed to prevent duplicates).
This all checks out fine. I did the same steps as before, shutting down everything and clearing all rids, and now everything works. The server was rebooted whereas it wasn't before. I don't see how this could have helped, but oh well, it seems to be working now. Another potential issue.. I had the server lock up last night (due to non-OSSEC related reasons). I noticed I wasn't getting events after the restart, and ran across this: [EMAIL PROTECTED] ossec]# ./bin/ossec-control status ossec-monitord is running... ossec-logcollector is running... ossec-remoted is running... ossec-syscheckd is running... ossec-analysisd is running... ossec-maild is running... ossec-execd not running... [EMAIL PROTECTED] ossec]# ./bin/ossec-control stop Killing ossec-monitord .. ./bin/ossec-control: line 171: kill: (26258) - No such process Killing ossec-logcollector .. ./bin/ossec-control: line 171: kill: (26243) - No such process Killing ossec-remoted .. ./bin/ossec-control: line 171: kill: (26248) - No such process Killing ossec-syscheckd .. ./bin/ossec-control: line 171: kill: (26254) - No such process Killing ossec-analysisd .. ./bin/ossec-control: line 171: kill: (26239) - No such process Killing ossec-maild .. ./bin/ossec-control: line 171: kill: (26231) - No such process ossec-execd not running .. OSSEC HIDS v1.0 Stopped So, perhaps there was a PID file but it didn't actually start properly?... Or it died.. Should the status check for actual running processes just to be sure? It could compare it with the PID file and display a message if there are no running processes but the PID file exists (such as after a crash).
