Chris, Have you checked the logs on the clients. there you might see something similar to: [WARN]trying to connect to <ip of OSSEC server> It has been my experience that there are just a few reasons why these agents will not connect. 1. the registed ip of the agent is not the IP that the server sees. to find this - initiate a session or error that would log on the server in /var/log/messages etc. or if there is the internet between the client and server hit whatsmyip.org to verify. 2. a firewall is blocking (you've already checked) 3. the key was garbled - you will see errors in /var/ossec/logs/ ossec.log 4. the agent is not started on the client (opps did that once)
If you can can you please post the client logs from one of the non connecting machines (please remember to obfuscate IP addresses) Frank Moss nine 13 tech On Aug 25, 1:28 pm, Chris Henderson <[email protected]> wrote: > Hey All, > > In recent weeks I have added and removed several OSSEC agents and I > just noticed that none of the new agents are showing up in the OSSEC- > WUI under "Available Agents", and I'm not receiving notifications or > any alerts for the new hosts. If I run list_agents -a or -c it lists > the agents that currently show up in the WUI which total 12 servers. > If I do manage_agents and and list the servers there are over 40 > servers listed. I've set the agents up and extracted the keys, I've > also made sure the agents can get to the OSSEC server, as well as > making sure iptables isn't blocking the agent and server. I have even > restarted the OSSEC server. Any suggestions on why none of the new > hosts are being monitored? > > Thanks, > > Chris
