On 08/09/2012 16:39, dan (ddp) wrote:
On Thu, Aug 9, 2012 at 9:13 AM, Nate <yjn...@gmail.com> wrote:
OK, gave the add.remove key thing one last shot.
Stopped ossec on both the master and the agent.
deleted client.keys on the agent.
used manage_agents to remove the old key from the master, and add a new one.
Started ossec on the master.
used manage_agents on the agent to add the key that i extracted (using
manage_agents on the master) for this agent to this agent.
Started ossec on the agent.
NOW, i get my ossec.log on the master flooded with:
WARN: Invalid active response (execd) message '9:(www'
www is the agent i'm working with.
However, i'm getting the same now for every one of my agents... Unrelated?
Coincidence?
I think ossec has it in for me.
Someone else is having a similar issue, but I don't know how far
anyone has gotten with tracking it down. It's one of those things I
don't know how to troubleshoot when I can't recreate the issue. Check
the other thread though, maybe something useful has been posted there.
That would be me, getting the warning, not the other errors. When it
happens, no message from agents gets through, I get the message from all
agents though, not just one.
The one thing that we seem to have in common is that my www agent runs
in a VirtualBox image, bridged. Another agent is the host for www and
the third one is an independent host, not virtualized. I didn't try
running without the www agent started, I'll try to do that too.
I had the same agent reporting to a different server but with active
response disabled, that was while testing and there were no problems there.
The other thing that might be different on my setup is that two of the
agents, www and it's host, connect to one interface, 10.x.x.x while the
third one connects to 192.168.x.x. These are two different network
interfaces and the server has a couple more, ossec is set to listen on
all of them.
