On Monday, August 11, 2014 12:35:11 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Aug 8, 2014 at 9:53 AM, Tim Boyer <[email protected] <javascript:>> > wrote: > > ossec 2.8-45 and RHEL10 > > > > Upgraded to 2.8 from 2.6. I've got a large number of servers with > 'Waiting > > for server reply', which is strange, because it worked previously. > > > > So server at 10.0.130.137, and client at 10.0.130.133. Client says > > > > 2014/08/08 08:59:49 ossec-agentd: INFO: Using IPv4 for: 10.0.130.137 . > > 2014/08/08 09:00:10 ossec-agentd(4101): WARN: Waiting for server reply > (not > > started). Tried: '10.0.130.137'. > > 2014/08/08 09:05:36 ossec-agentd: INFO: Trying to connect to server > > (10.0.130.137:1514). > > 2014/08/08 09:05:36 ossec-agentd: INFO: Using IPv4 for: 10.0.130.137 . > > 2014/08/08 09:05:57 ossec-agentd(4101): WARN: Waiting for server reply > (not > > started). Tried: '10.0.130.137'. > > > > but I know what that means. Firewall, right? And yet on the server > side: > > > > 2014/08/08 09:32:31 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from '10.0.130.133'. > > 2014/08/08 09:32:37 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from '10.0.130.133'. > > > > Don't know how it could be a firewall if the server sees it. Tcpdump > > verifies that messages are coming in, but not out: > > > > root@saratoga logs)# tcpdump -nn udp and host 10.0.130.133 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > > 09:41:49.004763 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length > 73 > > 09:41:55.005153 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length > 73 > > 09:41:59.005509 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length > 73 > > 09:42:04.005833 IP 10.0.130.133.37892 > 10.0.130.137.1514: UDP, length > 73 > > > > Bad key, right? Stop server and client; delete key; add key; start > server; > > start client. > > > > Did you try a new key, or just the old key? Are the agents using the > IP addresses assigned to them in client.keys? > > > Crud. Duplicate IPs in /etc/client.keys. OK, time for housekeeping. Thanks much, Dan...
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
