It has been my limited experience that it does have to do with keys. I solved this problem by taking a copy of the key file and using that to enter the data into the agents. or placing the key file on the client and removing everything in the file that is not for that client (since those files are supposed to be identical formats). Take a box and attempt to replicate the issue. I have also seen UTF8 vs ASCII encoding in the text file transport for the key garble it making an incorrectly formatted string that would not connect to the server.
Please feel free to contact me offline if you want some live help. Unfortunately I will not have much time until Monday afternoon or Tuesday. On Aug 27, 1:17 pm, Chris Henderson <[email protected]> wrote: > Frank, > From the agents log I see the following: > > 009/08/27 12:02:36 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: 'x.x.x.x'. > > From the server log I see the following: > > 2009/08/27 12:08:06 ossec-remoted(1403): ERROR: Incorrectly formated message > from 'x.x.x.x'. > > I also used netcat between the two servers to make sure they can communicate > with each other using UDP 1514, each host was able to do so. I've been > tailing the server log file for a while now and it looks like all of the > agents that are not showing up are getting the "incorrectly formatted > message". Does this error have to do with the keys? > > Thanks, > > Chris > > On Wed, Aug 26, 2009 at 2:01 PM, nine 13 tech <[email protected]> wrote: > > > > > Chris, > > Have you checked the logs on the clients. there you might see > > something similar to: > > [WARN]trying to connect to <ip of OSSEC server> > > It has been my experience that there are just a few reasons why these > > agents will not connect. > > 1. the registed ip of the agent is not the IP that the server sees. to > > find this - initiate a session or error that would log on the server > > in /var/log/messages etc. or if there is the internet between the > > client and server hit whatsmyip.org to verify. > > 2. a firewall is blocking (you've already checked) > > 3. the key was garbled - you will see errors in /var/ossec/logs/ > > ossec.log > > 4. the agent is not started on the client (opps did that once) > > > If you can can you please post the client logs from one of the non > > connecting machines (please remember to obfuscate IP addresses) > > Frank Moss > > nine 13 tech > > > On Aug 25, 1:28 pm, Chris Henderson <[email protected]> wrote: > > > Hey All, > > > > In recent weeks I have added and removed several OSSEC agents and I > > > just noticed that none of the new agents are showing up in the OSSEC- > > > WUI under "Available Agents", and I'm not receiving notifications or > > > any alerts for the new hosts. If I run list_agents -a or -c it lists > > > the agents that currently show up in the WUI which total 12 servers. > > > If I do manage_agents and and list the servers there are over 40 > > > servers listed. I've set the agents up and extracted the keys, I've > > > also made sure the agents can get to the OSSEC server, as well as > > > making sure iptables isn't blocking the agent and server. I have even > > > restarted the OSSEC server. Any suggestions on why none of the new > > > hosts are being monitored? > > > > Thanks, > > > > Chris
