Op donderdag 18 april 2013 14:45:58 UTC+2 schreef Dmitry het volgende: > > Try make the following on ossec server: > agent_control -r -u <id> > agent_control -i <id> > > I had 2 Windows XP hosts that was in Never connected state after i changed > agent keys on it. > I've tcpdumped communication between server-agent and saw that agent send > packets and server replies during all night, but server had been reporting > Never connected > In my case, only after applying these commands server starts to see agents. > > Hi Dmitry,
That does not seem to help: ID: 1371, Name: server001, IP: any, Never connected [root@secsever01 ~]# /var/ossec/bin/agent_control -r -u 1371 OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 1371 [root@secserver01 ~]# /var/ossec/bin/agent_control -i 1371 OSSEC HIDS agent_control. Agent information: Agent ID: 1371 Agent Name: server001 IP address: any/any Status: Never connected Operating system: Unknown Client version: Unknown Last keep alive: Unknown Syscheck last started at: Wed Apr 17 17:46:04 2013 Rootcheck last started at: Thu Apr 18 13:50:45 2013 2013/04/17 15:03:13 ossec-remoted: INFO: No previous counter available for 'server001'. 2013/04/17 15:03:13 ossec-remoted: INFO: Assigning counter for agent server001: '0:0'. 2013/04/17 15:03:13 ossec-remoted: INFO: Assigning sender counter: 16:6754 2013/04/17 18:16:46 ossec-remoted: INFO: Event count after '20000': 1754474->1604504 (91%) 2013/04/18 02:46:40 ossec-remoted: INFO: Event count after '20000': 1328538->1445448 (108%) 2013/04/18 04:04:44 ossec-rootcheck: INFO: Starting rootcheck scan. 2013/04/18 04:11:55 ossec-rootcheck: INFO: Ending rootcheck scan. 2013/04/18 07:56:55 ossec-syscheckd: INFO: Starting syscheck scan. 2013/04/18 08:03:39 ossec-syscheckd: INFO: Ending syscheck scan. 2013/04/18 11:18:55 ossec-remoted: INFO: Event count after '20000': 1324382->1442808 (108%) Still never connected state. > > > > > 2013/4/18 Michiel van Es <vanesm...@gmail.com <javascript:>> > >> >> >> Op woensdag 17 april 2013 17:53:47 UTC+2 schreef dan (ddpbsd) het >> volgende: >>> >>> On Wed, Apr 17, 2013 at 11:46 AM, Michiel van Es <vanesm...@gmail.com> >>> wrote: >>> > >>> > >>> > Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het >>> volgende: >>> >> >>> >> On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es <vanesm...@gmail.com> >>> >>> >> wrote: >>> >> > >>> >> > >>> >> > Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het >>> >> > volgende: >>> >> >> >>> >> >> >>> >> >> >>> >> >> Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het >>> >> >> volgende: >>> >> >>> >>> >> >>> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es < >>> vanesm...@gmail.com> >>> >> >>> wrote: >>> >> >>> > Hello, >>> >> >>> > >>> >> >>> > We have installed OSSEC 2.7 on a CentOS machine which is >>> working >>> >> >>> > fine >>> >> >>> > with >>> >> >>> > several Windows and Linux agents. >>> >> >>> > We are trying to install the OSSEC 2.7 agent package on a >>> Windows >>> >> >>> > 2008 >>> >> >>> > server which goes well but at end, after the manual agent >>> config (ip >>> >> >>> > and >>> >> >>> > secret) and restarting of the service, we still see that the >>> agent >>> >> >>> > is >>> >> >>> > never >>> >> >>> > connected: >>> >> >>> > >>> >> >>> > On the OSSEC server: >>> >> >>> > >>> >> >>> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected >>> >> >>> > >>> >> >>> >>> >> >>> Is there any useful information in the ossec server's ossec.log >>> (if I >>> >> >>> missed it I'm sorry)? >>> >> >>> If you start the ossec processes on the server in debug mode, do >>> you >>> >> >>> receive log messages then? >>> >> >>> Is the syscheck db for the agent populated >>> >> >>> (/var/ossec/queue/syscheck/**STUFF)? >>> >> >>> Any alerts based on log messages from the agent? >>> >> >> >>> >> >> >>> >> >> We see nothing in the server's ossec.log (we do see the >>> ossec-authd >>> >> >> connection). >>> >> >>> >> The agent shouldn't be making multiple authd connections... >>> >> >>> >> >> We see UDP traffic on the server between server <==> agent >>> >> >> We don't have this issue with Windows 2003 and finally >>> >> >> we tried 2.6 and 2.7 and both dont work (are logging on the agent >>> that >>> >> >> everything is working fine but nothing on the server). >>> >> > >>> >> > >>> >> > Extra information with debugging logging on: >>> >> > >>> >> > (too much to paste here:) >>> >> > http://pastebin.com/hEyc9VLA >>> >> > >>> >> >>> >> Any luck on getting the debug info from the server? How about >>> checking >>> >> the syscheck db? Alerts? >>> > >>> > >>> > no entry/file in /var/ossec/queue/syscheck. >>> > I was a little hesitant to turn on debugging on the server since more >>> then >>> > 300 agents are connected..will do that in a controlled matter. >>> > I am seeing entries in /var/ossec/log/alerts/* so the connection is >>> working >>> > the only problem is that the agent_control -l says it has never >>> connected. >>> > This makes it difficult for us to see which nodes are down or not. >>> > >>> >> >>> >> >>> >> Does the agent have a file in /var/ossec/queue/agent-info? If so, try >>> >> stopping the ossec processes on the server, moving that file, and >>> >> starting the processes back up. >>> > >>> > >>> > Yes file is existent. >>> > Moved and restarted but agent is still never connected. >>> >>> Is the file recreated? What is in that file? >>> >> >> yes it is recreated with the following contents: >> >> server001 >> - >> 1371 >> (null) >> >> The ID and servername matches >> >>> >>> >> >>> >> >>> >> Try turning on the log all option on the server, and check for the >>> >> agent's logs in the archive.log file. >>> > >>> > >>> > Before I turn all kinds of logging can we pinpoint it to the >>> agent_control >>> > check? Alerts are coming in and thus network connection and such are >>> working >>> > fine. >>> > >>> >>> Yes, it appears to be with the agent_control check. >>> >> >> Ok, can I turn on debugging for just that control/check/binary? >> >> >>> >>> >> >>> >> >>> >> >> >>> >> >> I will try the debug mode and if the syscheck db is populated. >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> > On the agent in c:\program files(x86)\ossec-agent\ossec.**log >>> we see: >>> >> >>> > >>> >> >>> > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the >>> server >>> >> >>> > (*server ip*:1514). >>> >> >>> > >>> >> >>> > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or >>> Windows >>> >> >>> > Server >>> >> >>> > 2008. >>> >> >>> > >>> >> >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event >>> log: >>> >> >>> > 'Application'. >>> >> >>> > >>> >> >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event >>> log: >>> >> >>> > 'Security'. >>> >> >>> > >>> >> >>> > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event >>> log: >>> >> >>> > 'System'. >>> >> >>> > >>> >> >>> > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). >>> >> >>> > >>> >> >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan >>> >> >>> > (forwarding >>> >> >>> > database). >>> >> >>> > >>> >> >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck >>> database >>> >> >>> > (pre-scan). >>> >> >>> > >>> >> >>> > This is strange, we checked the connection (connection can be >>> made >>> >> >>> > to >>> >> >>> > server >>> >> >>> > udp 1514) but we don't see anything in the servers logfile in >>> >> >>> > /var/ossec/log/ossec.log >>> >> >>> > >>> >> >>> > Is there anything we can do to further investigate? >>> >> >>> > Service seems to be running fine and the OSSEC agent logfile >>> shows >>> >> >>> > that >>> >> >>> > nothing is broken but the server never sees the succesful >>> >> >>> > connection. >>> >> >>> > >>> >> >>> > Michiel >>> >> >>> > >>> >> >>> > -- >>> >> >>> > >>> >> >>> > --- >>> >> >>> > You received this message because you are subscribed to the >>> Google >>> >> >>> > Groups >>> >> >>> > "ossec-list" group. >>> >> >>> > To unsubscribe from this group and stop receiving emails from >>> it, >>> >> >>> > send >>> >> >>> > an >>> >> >>> > email to ossec-list+...@googlegroups.**com. >>> >> >>> > For more options, visit https://groups.google.com/** >>> groups/opt_out <https://groups.google.com/groups/opt_out>. >>> >> >>> > >>> >> >>> > >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> send >>> >> > an >>> >> > email to ossec-list+...@googlegroups.**com. >>> >> > For more options, visit >>> >> > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>. >>> >> > >>> >>> >> > >>> >> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@**googlegroups.com. >>> > For more options, visit >>> > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>. >>> > >>> >>> > >>> > >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.