Usually there are warning or error messages in ossec.log file (check those both in the agent and manager).
On Mon, Jan 4, 2016 at 11:06 AM, Cal <brandonrmaxw...@gmail.com> wrote: > Found a solution, thinking it might be a key issue. On one server, I had > to chmod the keys file, which allowed the agent to connect. I tried > re-adding the existing key to the other agents and configuring the > permissions without anything working. Finally, I re-issued the keys for the > disconnect clients, and all connected after restart. Not sure what the > issue was. > > > On Monday, January 4, 2016 at 12:35:44 PM UTC-5, Cal wrote: >> >> Also, from agent: >> >> # netstat -panu | grep 1520 >> udp 0 0 AGENT_IP:43737 SERVER_IP:1520 ESTABLISHED >> 30669/ossec-agentd >> >> On Monday, January 4, 2016 at 12:25:02 PM UTC-5, Cal wrote: >>> >>> I have about 20 OSSEC agents connected to my OSSEC server without issue. >>> There are approximately 6 however that cannot connect. I'm using a >>> non-default port of 1520. Note: All IPs replaced here for OPSEC. >>> >>> Logs: >>> >>> - Agent: >>> - 2016/01/04 11:12:23 ossec-agentd: INFO: Using IPv4 for: >>> SERVER_IP . >>> 2016/01/04 11:12:44 ossec-agentd(4101): WARN: Waiting for server >>> reply (not started). Tried: 'SERVER_IP'. >>> - Server: >>> - Nothing outside the standard output, even with debug enabled >>> >>> >>> What I've done so far: >>> >>> - Added rules into iptables to allow communication on both >>> agent/sever >>> - TCPdump confirming on agent that it is sending packet >>> - TCPdump confirming on server that it is receiving agent packet >>> - Netcat on both server/agent: >>> - netcat -uv SERVER_IP 1520 >>> Connection to SERVER_IP 1520 port [udp/*] succeeded! >>> - netcat -uv AGENT_IP1520 >>> Connection to AGENT_IP 1520 port [udp/*] succeeded! >>> >>> ossec.conf: >>> >>> - <ossec_config> >>> <client> >>> <server-ip>SERVER_IP</server-ip> >>> <port>1520</port> >>> </client> >>> <remote> >>> <connection>secure</connection> >>> <protocol>tcp</protocol> >>> <port>1520</port> >>> </remote> >>> >>> >>> >>> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
