On Wed, Dec 5, 2012 at 2:41 AM, peng lin <[email protected]> wrote: > 12/12/05 14:49:04 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2012/12/05 14:49:06 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2012/12/05 14:49:06 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/secure'. > 2012/12/05 14:49:06 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/maillog'. > 2012/12/05 14:49:06 ossec-logcollector: INFO: Monitoring output of > command(360): df -h > 2012/12/05 14:49:06 ossec-logcollector: INFO: Monitoring full output of > command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort > 2012/12/05 14:49:06 ossec-logcollector: INFO: Monitoring full output of > command(360): last -n 5 > 2012/12/05 14:49:06 ossec-logcollector: INFO: Started (pid: 3983). > 2012/12/05 14:49:08 ossec-logcollector: WARN: Process locked. Waiting for > permission... > 2012/12/05 14:49:10 ossec-agentd(1218): ERROR: Unable to send message to > server. > 2012/12/05 14:49:22 ossec-agentd(1218): ERROR: Unable to send message to > server. > 2012/12/05 14:49:23 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '10.64.4.108'. > 2012/12/05 14:49:25 ossec-agentd: INFO: Trying to connect to server > (10.64.4.108:1514). > 2012/12/05 14:49:25 ossec-agentd: INFO: Using IPv4 for: 10.64.4.108 . > 2012/12/05 14:49:35 ossec-agentd(1218): ERROR: Unable to send message to > server. > 2012/12/05 14:49:47 ossec-agentd(1218): ERROR: Unable to send message to > server. > 2012/12/05 14:49:48 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: '10.64.4.108'. > 2012/12/05 14:50:06 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2012/12/05 14:50:06 ossec-syscheckd: WARN: Process locked. Waiting for > permission... > 10.64.4.108 is a hybrid mode server. > And how to slove it ? THINK YOU.
You highlighted a warning, not an error. You should be troubleshooting this the same way you would troubleshoot it if a hybrid installation wasn't involved. Look for errors in the server's ossec.log file. Make sure the correct key has been imported. Make sure the agent is coming from the correct IP (the IP the server should see is the same IP that was entered when creating the key). Make sure they key and IP are both unique among agents on that server. Make sure the server's OSSEC processes were restarted after the agent was added. Make sure the packets are making it to the server.
