Found a solution, thinking it might be a key issue. On one server, I had to chmod the keys file, which allowed the agent to connect. I tried re-adding the existing key to the other agents and configuring the permissions without anything working. Finally, I re-issued the keys for the disconnect clients, and all connected after restart. Not sure what the issue was.
On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote: > > Also, from agent: > > # netstat -panu | grep 1520 > udp 0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED > 30669/ossec-agentd > > On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: >> >> I have about 20 OSSEC agents connected to my OSSEC server without issue. >> There are approximately 6 however that cannot connect. I'm using a >> non-default port of 1520. Note: All IPs replaced here for OPSEC. >> >> Logs: >> >> - Agent: >> - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: >> SERVER_IP . >> 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server >> reply (not started). Tried: 'SERVER_IP'. >> - Server: >> - Nothing outside the standard output, even with debug enabled >> >> >> What I've done so far: >> >> - Added rules into iptables to allow communication on both agent/sever >> - TCPdump confirming on agent that it is sending packet >> - TCPdump confirming on server that it is receiving agent packet >> - Netcat on both server/agent: >> - netcat -uv SERVER_IP 1520 >> Connection to SERVER_IP 1520 port [udp/*] succeeded! >> - netcat -uv AGENT_IP1520 >> Connection to AGENT_IP 1520 port [udp/*] succeeded! >> >> ossec.conf: >> >> - <ossec_config> >> <client> >> <server-ip>SERVER_IP</server-ip> >> <port>1520</port> >> </client> >> <remote> >> <connection>secure</connection> >> <protocol>tcp</protocol> >> <port>1520</port> >> </remote> >> >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.