Hi list, I've got a thorny problem that I'm hoping will turn out to be a simple one. Our OSSEC Manager refuses to see the one agent currently connected to it. It's been connected in the past, and the manager remembers this - the agent shows as "disconnected" in agent_control rather than "never connected" - but for some reason it won't connect now.
Compounding the problem is that we're using one-way agents, which don't require communication from the manager to start. So we don't get feedback in the agent logs about what the problem might be. Using Wireshark, we've determined that UDP packets from our agent host machine are reaching our OSSEC manager machine, addressed to our OSSEC port, but we can't figure out what's happening after they show up that is causing our manager to ignore them. I've checked the following: iptables (port is open), ifconfig (interface is up and running; other communication works fine over it), OSSEC agent and manager configs (agent is pointed at the right port/ IP; manager is listening on the right port), OSSEC manager logs (no errors that would indicate a bad client.keys or RIDS problem), and OSSEC agent logs (again, no errors, but it's a one-way agent). I've restarted everything a couple of times, cleared the RIDS, etc. There are no other machines currently on this subnet, so I can't test other agents. Anyone have any idea where else I can look, or what the problem might be? Thanks! -Alisha Kloc
