[ossec-list] Agent not connecting, but at least I can see the logfile now

Fri, 08 Aug 2014 06:55:29 -0700 

ossec 2.8-45 and RHEL10

Upgraded to 2.8 from 2.6.  I've got a large number of servers with 'Waiting 
for server reply', which is strange, because it worked previously.

So server at 10.0.130.137, and client at 10.0.130.133.  Client says  

2014/08/08 08:59:49 ossec-agentd: INFO: Using IPv4 for: 10.0.130.137 . 
2014/08/08 09:00:10 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: '10.0.130.137'. 
2014/08/08 09:05:36 ossec-agentd: INFO: Trying to connect to server 
(10.0.130.137:1514). 
2014/08/08 09:05:36 ossec-agentd: INFO: Using IPv4 for: 10.0.130.137 . 
2014/08/08 09:05:57 ossec-agentd(4101): WARN: Waiting for server reply (not 
started). Tried: '10.0.130.137'. 

but I know what that means.  Firewall, right?  And yet on the server side:

2014/08/08 09:32:31 ossec-remoted(1403): ERROR: Incorrectly formated 
message from '10.0.130.133'. 
2014/08/08 09:32:37 ossec-remoted(1403): ERROR: Incorrectly formated 
message from '10.0.130.133'. 

Don't know how it could be a firewall if the server sees it.  Tcpdump 
verifies that messages are coming in, but not out:

root@saratoga logs)# tcpdump -nn udp and host 10.0.130.133
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:41:49.004763 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 73  
09:41:55.005153 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 73  
09:41:59.005509 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 73  
09:42:04.005833 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 73  

Bad key, right?  Stop server and client; delete key; add key; start server; 
start client.

Same thing.  

2014/08/08 09:48:13 ossec-remoted(1403): ERROR: Incorrectly formated 
message from '10.0.130.133'. 
2014/08/08 09:48:19 ossec-remoted(1403): ERROR: Incorrectly formated 
message from '10.0.130.133'. 
2014/08/08 09:48:23 ossec-remoted(1403): ERROR: Incorrectly formated 
message from '10.0.130.133'. 


So this is a combination I'm not familiar with.  Any suggestions?



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to