I am acquiring the keys originally from the server (cat client.keys) then copying that information directly from the putty.log file into a spreadsheet. The key files I am creating are being created directly from the spreadsheet. I manually verify the information in the keys file before it is copied down to the computer. Same with the ossec.conf file...it was copied originally from a machine that was communicating properly with the server.
If you guys know of any scripts or automation help you can offer, I would be most appreciative. I've been banging my head against a wall on this one. On Monday, October 13, 2014 12:30:10 PM UTC-5, LostInThe Tubez wrote: > > Many people have created an automated deployment script successfully, so > no need to worry there. How are you exporting the agent keys from the > manager? More to the point, WHICH key are you using in your group policy > script? If you really are using the same key that you would use in the GUI, > as you state, then that’s the problem. > > > > Here’s an exercise to illustrate the point: manually install an agent, > such that it is communicating with the manager successfully. Open > client.keys on the agent and look at the key. Now compare that key to the > one in /var/ossec/etc/client.keys on the manager. They should be the same. > When manually shuffling keys about using scripts, there is no need to > extract the key using manage_agents. > > > > *From:* ossec...@googlegroups.com <javascript:> [mailto: > ossec...@googlegroups.com <javascript:>] *On Behalf Of *David Masters > *Sent:* Monday, October 13, 2014 9:19 AM > *To:* ossec...@googlegroups.com <javascript:> > *Subject:* Re: [ossec-list] Windows agents not connecting to OSSEC server > > > > The whole purpose of this exercise is to not have to go to each individual > machine to input the key and configuration. We have over 3000 machines so > that really is just not feasible. If the key & server is input manually > when the software is installed it works fine. When the key file and config > file are pushed out over the network (containing the exact same information > that would have been input manually), it does not. This would be to the > same machine, same configuration, no changes between manual input and > pushed input. (except that it is not done manually). > > > > If this is not possible, I would like to know this as soon as possible so > that we can find a different solution for our IPS/IDS/FIM system. > > > > Thank you. > > > > > On Monday, October 13, 2014 10:33:59 AM UTC-5, dan (ddpbsd) wrote: > > On Mon, Oct 13, 2014 at 11:21 AM, David Masters > <dmas...@24-7intouch.com> wrote: > > 2014/10/13 10:19:11 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from 'any'. > > 2014/10/13 10:19:13 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.21'. > > Try readding the key to one of these agents manually (not one of the > "any" agents, but the ones with the IP address specifically). > > > 2014/10/13 10:19:16 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.20'. > > 2014/10/13 10:19:16 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from 'any'. > > 2014/10/13 10:19:17 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.21'. > > 2014/10/13 10:19:22 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.20'. > > 2014/10/13 10:19:22 ossec-remoted(1403): ERROR: Incorrectly formated > message > > from 'any'. > > 2014/10/13 10:19:22 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.21'. > > 2014/10/13 10:19:28 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.107.21'. > > 2014/10/13 10:19:54 ossec-remoted(1408): ERROR: Invalid ID for the > source > > ip: '10.50.111.64'. > > > > On Monday, October 13, 2014 7:52:05 AM UTC-5, gr...@castraconsulting.com > > wrote: > >> > >> Assuming agent key and IP are distinct for each server, please put the > >> ossec-control into debug on the server and look for errors such as "not > >> allowed" and so forth > >> > >> On Monday, October 13, 2014 8:04:41 AM UTC-4, Antonio Querubin wrote: > >>> > >>> On Sun, 12 Oct 2014, David Masters wrote: > >>> > >>> > Ok...here is the log file from a freshly installed agent (shutdown > >>> > ossec > >>> > server, removed all rid files, no rid files on agent system, > manually > >>> > entererd key and server address): > >>> > >>> > This is the log file from same machine after pushing out key > >>> > file/ossec.conf file and deleting rid files (no change to any other > >>> > part of > >>> > the machine or configuration): > >>> > >>> > Verified all information in both files was exactly the same as > before > >>> > and > >>> > files in rids directory were deleted before service was restarted. > >>> > >>> > Any ideas? > >>> > >>> Did you remove the corresponding rids file on the server? > >>> > >>> Antonio Querubin > >>> e-mail: to...@lavanauts.org > >>> xmpp: antonio...@gmail.com > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
