Watch the manager's logs while restarting the agent's process. It
might provide a clue.
Also make sure the manager's processes were restarted after the client
was added, and make sure the client was configured on the manager with
a unique IP address.
Okay, I restarted the manager and then the agents. Still can't
communicate and I don't see anything in the server logs about it:
2010/12/03 09:30:24 ossec-rootcheck: DEBUG: Going into check_rc_dev
2010/12/03 09:30:24 ossec-rootcheck: DEBUG: Starting on check_rc_dev
2010/12/03 09:30:24 ossec-rootcheck: DEBUG: Going into check_rc_sys
2010/12/03 09:30:24 ossec-rootcheck: DEBUG: Starting on check_rc_sys
2010/12/03 09:30:26 ossec-rootcheck: DEBUG: Going into check_rc_pids
2010/12/03 09:49:29 ossec-rootcheck: DEBUG: Going into check_rc_ports
2010/12/03 09:50:02 ossec-rootcheck: DEBUG: Going into check_open_ports
2010/12/03 09:50:02 ossec-rootcheck: DEBUG: Going into check_rc_if
2010/12/03 09:50:02 ossec-rootcheck: DEBUG: Completed with all checks.
2010/12/03 09:50:07 ossec-rootcheck: INFO: Ending rootcheck scan.
2010/12/03 09:50:07 ossec-rootcheck: DEBUG: Leaving run_rk_check
The client packets are definitely getting thru, as the command "tcpdump
-ni eth2 port 1514" shows activity after restarting the agent. I have
also turned off the windows firewall, which didn't help.
The agents are configured as so:
****************************************
* OSSEC HIDS v2.5.1 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: l
Available agents:
ID: 001, Name: wombat.xyz.local, IP: 10.21.4.112
ID: 002, Name: skywarp.xyz.local, IP: 10.21.4.114
Thanks,
Scott
