On Fri, May 16, 2014 at 2:40 AM, 'Bart Nukats' via ossec-list <ossec-list@googlegroups.com> wrote: > Hello Dan, > > Thanks for the explanation, so if i set up cron to overwrite all rids to the > lowest value or no value at all it will sort this out permanently, or is > there any way of disabling this feature? >
Yes, there is an option to turn it off. Obviously we don't recommend doing that because it is a security feature, but some setups are strange. Set remoted.verify_msg_id to 0 in internal_options.conf to disable the rids check. > Br, > > > On Wednesday, 14 May 2014 14:47:49 UTC+2, Bart Nukats wrote: >> >> Hello, >> >> I'm having issues with agents, I'm unable to successfully reconnect them, >> tried almost everything, but nothing helps, therefore asking for help here. >> >> Info: >> >> I'm using OSSEC HIDS v2.7.1 >> Servers IP: 10.48.1.247 >> Agent IP: 10.48.1.213 >> Firewall: No local or remote firewall is enabled, everything is allowed as >> the traffic goes to the switch and comes back to the host. >> >> It stopped working right after i rebooted my computer (was working fine >> for 3 days) I didn't change anything nor modify anything >> >> Log data: >> >> from agent log: >> >> 2014/05/14 14:25:31 ossec-agent: INFO: Started (pid: 6684). >> 2014/05/14 14:25:41 ossec-agent: WARN: Process locked. Waiting for >> permission... >> 2014/05/14 14:25:51 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: '10.48.1.247'. >> 2014/05/14 14:25:53 ossec-agent: INFO: Trying to connect to server >> (10.48.1.247:1514). >> 2014/05/14 14:25:53 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . >> 2014/05/14 14:26:14 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: '10.48.1.247'. >> 2014/05/14 14:26:34 ossec-agent: INFO: Trying to connect to server >> (10.48.1.247:1514). >> 2014/05/14 14:26:34 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . >> 2014/05/14 14:26:55 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: '10.48.1.247'. >> 2014/05/14 14:27:33 ossec-agent: INFO: Trying to connect to server >> (10.48.1.247:1514). >> 2014/05/14 14:27:33 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . >> 2014/05/14 14:27:54 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: '10.48.1.247'. >> 2014/05/14 14:28:50 ossec-agent: INFO: Trying to connect to server >> (10.48.1.247:1514). >> 2014/05/14 14:28:50 ossec-agent: INFO: Using IPv4 for: 10.48.1.247 . >> 2014/05/14 14:29:11 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: '10.48.1.247'. >> >> From wireshark on agent: >> >> Everything seems fine >> >> From OSSEC server: >> >> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes >> 14:26:02.058989 IP 10.48.1.213.60259 > 10.48.1.247.1514: UDP, length 78 >> 14:26:08.059936 IP 10.48.1.213.60259 > 10.48.1.247.1514: UDP, length 78 >> 14:26:10.081897 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 >> 14:26:16.082880 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 >> 14:26:20.082857 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 >> 14:26:25.083823 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 >> 14:26:31.083738 IP 10.48.1.213.54240 > 10.48.1.247.1514: UDP, length 78 >> >> It receives the packets from the agent (compared with wireshark from >> agent, everything seems the same) >> >> from Server logs: >> >> /var/ossec/logs# tail -f ossec.log >> 2014/05/14 14:43:07 ossec-remoted: WARN: Duplicate error: global: 0, >> local: 51, saved global: 219, saved local:3548 >> 2014/05/14 14:43:07 ossec-remoted(1407): ERROR: Duplicated counter for >> 'stakub01'. >> 2014/05/14 14:43:13 ossec-remoted: WARN: Duplicate error: global: 0, >> local: 52, saved global: 219, saved local:3548 >> 2014/05/14 14:43:13 ossec-remoted(1407): ERROR: Duplicated counter for >> 'stakub01'. >> 2014/05/14 14:43:17 ossec-remoted: WARN: Duplicate error: global: 0, >> local: 53, saved global: 219, saved local:3548 >> 2014/05/14 14:43:17 ossec-remoted(1407): ERROR: Duplicated counter for >> 'stakub01'. >> 2014/05/14 14:43:22 ossec-remoted: WARN: Duplicate error: global: 0, >> local: 54, saved global: 219, saved local:3548 >> 2014/05/14 14:43:22 ossec-remoted(1407): ERROR: Duplicated counter for >> 'stakub01'. >> 2014/05/14 14:43:28 ossec-remoted: WARN: Duplicate error: global: 0, >> local: 55, saved global: 219, saved local:3548 >> 2014/05/14 14:43:28 ossec-remoted(1407): ERROR: Duplicated counter for >> 'stakub01'. >> >> >> I've checked the agents and there is only one username stakub01 - mine, so >> i don't understand the message >> >> 1) i've re-installed the agent - put all the values again, the agent >> registered - Status: RUnning..." >> >> 2) I've restarted the management server couple of times, still the same >> issue >> >> 3) rebooted the linux server where ossec is - still the same issue >> >> 4) the only viable solution would be to get rid of the duplicates? But how >> did they get there? >> >> Br, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
