On Tue, Jun 25, 2013 at 11:14 AM, David Blanton <blanton.davi...@gmail.com> wrote: > I did not rid of the queue/rids. When I reinstalled the Server/Agent > clients, I just generated a new key and copied them over. I wasn't paying > attention so I'm not sure if it generated a new key or if it was the same > key. Do you think this is where I messed up? >
If you removed the agent with manage_agents, and re-added that system as a new agent the rids don't matter. Make sure the old agent was removed from client.keys. A duplicate IP address could definitely cause issues. > > My mistake I meant to say agentd - not analysisd. > > On Tuesday, June 25, 2013 10:49:46 AM UTC-4, dan (ddpbsd) wrote: >> >> On Tue, Jun 25, 2013 at 10:34 AM, David Blanton >> <blanton...@gmail.com> wrote: >> > I guess I should clarify the situation a little more. I'm currently >> > working >> > on the dev/test environment to explore OSSEC for our production servers. >> > >> > While in a test environment, I have installed, uninstalled, >> > re-installed, >> > OSSEC and agents several times. I believe I can finally stop now that I >> > am >> > at 2.7.1 and am at a good place of understanding it. However, one of the >> > problems I've encountered is that if an OSSEC agent is installed on a >> > machine/box/server ect. if I ever re-install it, I will come across >> > these >> > WARN and ERROR logs. Whether it be incorrectly formatted or cannot >> > accept >> >> Did you reinstall the key or create a new one? If you reused the key, >> did you clear the rids file for the agent (/var/ossec/queue/rids)? >> >> > message. dan, If I have already deleted all the previous/older versions >> > of >> > OSSEC client-side, is there a way to go back and turn off analysisd? >> > >> >> analysisd does not run on agents, only on the server. >> >> > Don't get me wrong - even though I am getting these messages; the WEB UI >> > shows them as active, and they do trigger alerts. It's just I keep >> > getting >> > these 'older' installations of OSSEC prompting these errors. Do you know >> > a >> > way where I can turn agentd off without interfering with my newer ones? >> > >> >> kill it? >> >> > >> > On Tuesday, June 25, 2013 10:22:16 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Tue, Jun 25, 2013 at 10:08 AM, David Blanton >> >> <blanton...@gmail.com> wrote: >> >> > Even after #rm -rf /opt/ossec and the init.d for client-side, and >> >> > prior >> >> > I >> >> > manage_agents and turn the agent off. I am still getting WARN: >> >> > Messages >> >> > from >> >> > IPAddress from the agents in my server-side logs. If I re-install >> >> > agents >> >> > client-side, the agent will work and things will show in my WEB UI; >> >> > however, >> >> > I got the ERROR: IPAddress cannot connect to ServerIP. >> >> > >> >> > Anybody know whats going on? Am I missing a file to delete here? >> >> > >> >> >> >> Are you trying to uninstall the agent? >> >> If so, make sure none of the processes are running, especially >> >> ossec-agentd. >> >> If the processes aren't running, the agent shouldn't be sending >> >> traffic to the server, so you shouldn't be getting the messages. >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
