Try make the following on ossec server: agent_control -r -u <id> agent_control -i <id>
I had 2 Windows XP hosts that was in Never connected state after i changed agent keys on it. I've tcpdumped communication between server-agent and saw that agent send packets and server replies during all night, but server had been reporting Never connected In my case, only after applying these commands server starts to see agents. 2013/4/18 Michiel van Es <vanesmich...@gmail.com> > > > Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het volgende: >> >> On Wed, Apr 17, 2013 at 11:46 AM, Michiel van Es <vanesm...@gmail.com> >> wrote: >> > >> > >> > Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het >> volgende: >> >> >> >> On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es <vanesm...@gmail.com> >> >> >> wrote: >> >> > >> >> > >> >> > Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het >> >> > volgende: >> >> >> >> >> >> >> >> >> >> >> >> Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het >> >> >> volgende: >> >> >>> >> >> >>> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es < >> vanesm...@gmail.com> >> >> >>> wrote: >> >> >>> > Hello, >> >> >>> > >> >> >>> > We have installed OSSEC 2.7 on a CentOS machine which is working >> >> >>> > fine >> >> >>> > with >> >> >>> > several Windows and Linux agents. >> >> >>> > We are trying to install the OSSEC 2.7 agent package on a >> Windows >> >> >>> > 2008 >> >> >>> > server which goes well but at end, after the manual agent config >> (ip >> >> >>> > and >> >> >>> > secret) and restarting of the service, we still see that the >> agent >> >> >>> > is >> >> >>> > never >> >> >>> > connected: >> >> >>> > >> >> >>> > On the OSSEC server: >> >> >>> > >> >> >>> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected >> >> >>> > >> >> >>> >> >> >>> Is there any useful information in the ossec server's ossec.log >> (if I >> >> >>> missed it I'm sorry)? >> >> >>> If you start the ossec processes on the server in debug mode, do >> you >> >> >>> receive log messages then? >> >> >>> Is the syscheck db for the agent populated >> >> >>> (/var/ossec/queue/syscheck/**STUFF)? >> >> >>> Any alerts based on log messages from the agent? >> >> >> >> >> >> >> >> >> We see nothing in the server's ossec.log (we do see the ossec-authd >> >> >> connection). >> >> >> >> The agent shouldn't be making multiple authd connections... >> >> >> >> >> We see UDP traffic on the server between server <==> agent >> >> >> We don't have this issue with Windows 2003 and finally >> >> >> we tried 2.6 and 2.7 and both dont work (are logging on the agent >> that >> >> >> everything is working fine but nothing on the server). >> >> > >> >> > >> >> > Extra information with debugging logging on: >> >> > >> >> > (too much to paste here:) >> >> > http://pastebin.com/hEyc9VLA >> >> > >> >> >> >> Any luck on getting the debug info from the server? How about checking >> >> the syscheck db? Alerts? >> > >> > >> > no entry/file in /var/ossec/queue/syscheck. >> > I was a little hesitant to turn on debugging on the server since more >> then >> > 300 agents are connected..will do that in a controlled matter. >> > I am seeing entries in /var/ossec/log/alerts/* so the connection is >> working >> > the only problem is that the agent_control -l says it has never >> connected. >> > This makes it difficult for us to see which nodes are down or not. >> > >> >> >> >> >> >> Does the agent have a file in /var/ossec/queue/agent-info? If so, try >> >> stopping the ossec processes on the server, moving that file, and >> >> starting the processes back up. >> > >> > >> > Yes file is existent. >> > Moved and restarted but agent is still never connected. >> >> Is the file recreated? What is in that file? >> > > yes it is recreated with the following contents: > > server001 > - > 1371 > (null) > > The ID and servername matches > >> >> >> >> >> >> >> Try turning on the log all option on the server, and check for the >> >> agent's logs in the archive.log file. >> > >> > >> > Before I turn all kinds of logging can we pinpoint it to the >> agent_control >> > check? Alerts are coming in and thus network connection and such are >> working >> > fine. >> > >> >> Yes, it appears to be with the agent_control check. >> > > Ok, can I turn on debugging for just that control/check/binary? > > >> >> >> >> >> >> >> >> >> >> >> I will try the debug mode and if the syscheck db is populated. >> >> >>> >> >> >>> >> >> >>> >> >> >>> > On the agent in c:\program files(x86)\ossec-agent\ossec.**log >> we see: >> >> >>> > >> >> >>> > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the >> server >> >> >>> > (*server ip*:1514). >> >> >>> > >> >> >>> > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or >> Windows >> >> >>> > Server >> >> >>> > 2008. >> >> >>> > >> >> >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event >> log: >> >> >>> > 'Application'. >> >> >>> > >> >> >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event >> log: >> >> >>> > 'Security'. >> >> >>> > >> >> >>> > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event >> log: >> >> >>> > 'System'. >> >> >>> > >> >> >>> > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). >> >> >>> > >> >> >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan >> >> >>> > (forwarding >> >> >>> > database). >> >> >>> > >> >> >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck >> database >> >> >>> > (pre-scan). >> >> >>> > >> >> >>> > This is strange, we checked the connection (connection can be >> made >> >> >>> > to >> >> >>> > server >> >> >>> > udp 1514) but we don't see anything in the servers logfile in >> >> >>> > /var/ossec/log/ossec.log >> >> >>> > >> >> >>> > Is there anything we can do to further investigate? >> >> >>> > Service seems to be running fine and the OSSEC agent logfile >> shows >> >> >>> > that >> >> >>> > nothing is broken but the server never sees the succesful >> >> >>> > connection. >> >> >>> > >> >> >>> > Michiel >> >> >>> > >> >> >>> > -- >> >> >>> > >> >> >>> > --- >> >> >>> > You received this message because you are subscribed to the >> Google >> >> >>> > Groups >> >> >>> > "ossec-list" group. >> >> >>> > To unsubscribe from this group and stop receiving emails from >> it, >> >> >>> > send >> >> >>> > an >> >> >>> > email to ossec-list+...@googlegroups.**com. >> >> >>> > For more options, visit https://groups.google.com/** >> groups/opt_out <https://groups.google.com/groups/opt_out>. >> >> >>> > >> >> >>> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to ossec-list+...@googlegroups.**com. >> >> > For more options, visit >> >> > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>. >> >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@**googlegroups.com. >> > For more options, visit >> > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>. >> >> > >> > >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
