On Monday, August 11, 2014 12:35:11 PM UTC-4, dan (ddpbsd) wrote:
>
> On Fri, Aug 8, 2014 at 9:53 AM, Tim Boyer <[email protected] <javascript:>> 
> wrote: 
> > ossec 2.8-45 and RHEL10 
> > 
> > Upgraded to 2.8 from 2.6.  I've got a large number of servers with 
> 'Waiting 
> > for server reply', which is strange, because it worked previously. 
> > 
> > So server at 10.0.130.137, and client at 10.0.130.133.  Client says 
> > 
> > 2014/08/08 08:59:49 ossec-agentd: INFO: Using IPv4 for: 10.0.130.137 . 
> > 2014/08/08 09:00:10 ossec-agentd(4101): WARN: Waiting for server reply 
> (not 
> > started). Tried: '10.0.130.137'. 
> > 2014/08/08 09:05:36 ossec-agentd: INFO: Trying to connect to server 
> > (10.0.130.137:1514). 
> > 2014/08/08 09:05:36 ossec-agentd: INFO: Using IPv4 for: 10.0.130.137 . 
> > 2014/08/08 09:05:57 ossec-agentd(4101): WARN: Waiting for server reply 
> (not 
> > started). Tried: '10.0.130.137'. 
> > 
> > but I know what that means.  Firewall, right?  And yet on the server 
> side: 
> > 
> > 2014/08/08 09:32:31 ossec-remoted(1403): ERROR: Incorrectly formated 
> message 
> > from '10.0.130.133'. 
> > 2014/08/08 09:32:37 ossec-remoted(1403): ERROR: Incorrectly formated 
> message 
> > from '10.0.130.133'. 
> > 
> > Don't know how it could be a firewall if the server sees it.  Tcpdump 
> > verifies that messages are coming in, but not out: 
> > 
> > root@saratoga logs)# tcpdump -nn udp and host 10.0.130.133 
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol 
> decode 
> > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 
> > 09:41:49.004763 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 
> 73 
> > 09:41:55.005153 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 
> 73 
> > 09:41:59.005509 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 
> 73 
> > 09:42:04.005833 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length 
> 73 
> > 
> > Bad key, right?  Stop server and client; delete key; add key; start 
> server; 
> > start client. 
> > 
>
> Did you try a new key, or just the old key? Are the agents using the 
> IP addresses assigned to them in client.keys? 
>
>
>
Crud.  Duplicate IPs in /etc/client.keys.  OK, time for housekeeping.  
Thanks much, Dan...


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to