The rids file is - I think - a socket file. By deleting the rids file and restarting OSSEC at both the agent and the server, I am recreating the sockets. And rinitializing the handshake between server and agent.
>From memory - (1) the agent starts and waits and waits for a reply from the server (2) the server assigns a counter to the agent - I have't checked anything else in the server log. On Aug 12, 6:13 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > On Thu, Aug 11, 2011 at 1:07 PM, blacklight <vphu...@yahoo.com> wrote: > > Hello Folks, > > > One of our agents is listed in the list of "Available Agents" in the > > OSSEC GUI as "Inactive" > > > Attempted Resolution: > > > (1) I logged into the OSSEC server host, ran /var/ossec/bin/ > > manage_agents to get the index ID of the host - say 140 > > (2) On the OSSEC server host, I went into /var/ossec/queue/rids and > > deleted the file 140 > > Why did you delete the rids? > > > (3) I restarted OSSEC on the OSSEC server host > > > (4) On the OSSEC agent host, I went into /var/ossec/queue/rids and > > deleted the file 140 > > (3) I restarted OSSEC on the OSSEC agent > > > This procedure works 100% of the time. Until today i.e. running /var/ > > ossec/bin/agent_control -i 140 still shows the agent as "Disconnected" > > > As a side note, I don't think anyone screwed with firewall access > > lists because our SNMP polling still correctly shows the agent host as > > operational. How should I troubleshoot this> > > > Thanks, > > You could start by looking at the ossec.log files on the agent and the > manager.
