The whole purpose of this exercise is to not have to go to each individual machine to input the key and configuration. We have over 3000 machines so that really is just not feasible. If the key & server is input manually when the software is installed it works fine. When the key file and config file are pushed out over the network (containing the exact same information that would have been input manually), it does not. This would be to the same machine, same configuration, no changes between manual input and pushed input. (except that it is not done manually).
If this is not possible, I would like to know this as soon as possible so that we can find a different solution for our IPS/IDS/FIM system. Thank you. On Monday, October 13, 2014 10:33:59 AM UTC-5, dan (ddpbsd) wrote: > > On Mon, Oct 13, 2014 at 11:21 AM, David Masters > <dmas...@24-7intouch.com <javascript:>> wrote: > > 2014/10/13 10:19:11 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from 'any'. > > 2014/10/13 10:19:13 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.21'. > > Try readding the key to one of these agents manually (not one of the > "any" agents, but the ones with the IP address specifically). > > > 2014/10/13 10:19:16 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.20'. > > 2014/10/13 10:19:16 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from 'any'. > > 2014/10/13 10:19:17 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.21'. > > 2014/10/13 10:19:22 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.20'. > > 2014/10/13 10:19:22 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from 'any'. > > 2014/10/13 10:19:22 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.21'. > > 2014/10/13 10:19:28 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.21'. > > 2014/10/13 10:19:54 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.111.64'. > > > > On Monday, October 13, 2014 7:52:05 AM UTC-5, gr...@castraconsulting.com > > wrote: > >> > >> Assuming agent key and IP are distinct for each server, please put the > >> ossec-control into debug on the server and look for errors such as "not > >> allowed" and so forth > >> > >> On Monday, October 13, 2014 8:04:41 AM UTC-4, Antonio Querubin wrote: > >>> > >>> On Sun, 12 Oct 2014, David Masters wrote: > >>> > >>> > Ok...here is the log file from a freshly installed agent (shutdown > >>> > ossec > >>> > server, removed all rid files, no rid files on agent system, > manually > >>> > entererd key and server address): > >>> > >>> > This is the log file from same machine after pushing out key > >>> > file/ossec.conf file and deleting rid files (no change to any other > >>> > part of > >>> > the machine or configuration): > >>> > >>> > Verified all information in both files was exactly the same as > before > >>> > and > >>> > files in rids directory were deleted before service was restarted. > >>> > >>> > Any ideas? > >>> > >>> Did you remove the corresponding rids file on the server? > >>> > >>> Antonio Querubin > >>> e-mail: to...@lavanauts.org > >>> xmpp: antonio...@gmail.com > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
