I ran tcpdump on both the agent and the server. tcpdump is not picking up any OSSEC traffic at either end. The only traffic from the OSSEC server that tcpdump is picking up at the agent - that traffic is SNMP traffic
I also ran the route and traceroute command at both the server and agent end to make sure that it was being routed properly. One thing I notice is that the rids file at both the server and agent end - that rids file is empty and stays empty Unusual.. On Aug 15, 8:01 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > Use tcpdump to make sure packets are making it to the manager from the > agent, and to the agent from the manager. > > > > > > > > > > On Mon, Aug 15, 2011 at 3:43 PM, blacklight <vphu...@yahoo.com> wrote: > > The agent ossec.log files for the two agents show that the agents are > > operational and ready to go: > > > Typical example: > > > 2011/08/15 11:59:33 ossec-agentd(1410): INFO: Reading authentication > > keys file. > > 2011/08/15 11:59:33 ossec-agentd: INFO: Assigning sender counter: > > 7731:6770 > > 2011/08/15 11:59:33 ossec-agentd: INFO: Started (pid: 30229). > > 2011/08/15 11:59:33 ossec-agentd: INFO: Server IP Address: > > 10.80.80.100 > > 2011/08/15 11:59:33 ossec-agentd: INFO: Trying to connect to server > > (10.80.80.100:1514). > > ... > > 2011/08/15 12:06:42 ossec-agentd(4101): WARN: Waiting for server reply > > (not started). Tried: '10.80.80.100'. > > 2011/08/15 12:08:32 ossec-agentd: INFO: Trying to connect to server > > (10.80.80.100:1514). > > > On the other hand, at the server, either there is a failure to assign > > a sender counter i.e. the "ossec-agentd: INFO: Assigning sender > > counter:" does not appear, or we get > > > 2011/08/12 12:40:12 ossec-remoted: INFO: No previous counter available > > for 'vapp022.crickabold.com'. > > 2011/08/12 12:40:12 ossec-remoted: INFO: Assigning counter for agent > > vapp022.crickabold.com: '0:0'. > > There are no other logs related to this agent? The above messages > shouldn't be preventing the agent from connecting. > > > > > > > > > Under either scenario, the status of the agents is "Disconnected" > > > Obviously, we'd like to fix that. > > > On Aug 12, 2:13 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > >> On Thu, Aug 11, 2011 at 1:07 PM, blacklight <vphu...@yahoo.com> wrote: > >> > Hello Folks, > > >> > One of our agents is listed in the list of "Available Agents" in the > >> > OSSEC GUI as "Inactive" > > >> > Attempted Resolution: > > >> > (1) I logged into the OSSEC server host, ran /var/ossec/bin/ > >> > manage_agents to get the index ID of the host - say 140 > >> > (2) On the OSSEC server host, I went into /var/ossec/queue/rids and > >> > deleted the file 140 > > >> Why did you delete the rids? > > >> > (3) I restarted OSSEC on the OSSEC server host > > >> > (4) On the OSSEC agent host, I went into /var/ossec/queue/rids and > >> > deleted the file 140 > >> > (3) I restarted OSSEC on the OSSEC agent > > >> > This procedure works 100% of the time. Until today i.e. running /var/ > >> > ossec/bin/agent_control -i 140 still shows the agent as "Disconnected" > > >> > As a side note, I don't think anyone screwed with firewall access > >> > lists because our SNMP polling still correctly shows the agent host as > >> > operational. How should I troubleshoot this> > > >> > Thanks, > > >> You could start by looking at the ossec.log files on the agent and the > >> manager.
