So the final result was as follows, the first step i exported the agent list and updated the list ( i basically erased 1000 agents that were no longer used (#***) and then saved it in csv format. Following that i used the script managed_agents -f to reimport the whole agent list with new IDS. It basically took a good hour. Once done i creatied a script that would uninstall + install the Ossec Agent (2.8.3) and then attribute its key to the installation which basically takes 5 seconds and then it is up and running.
So all is now good. Hopefully this can help anyone that has a similar issue as well. Cheers, On Wednesday, April 13, 2016 at 11:23:28 AM UTC-4, Alexandre Laquerre wrote: > > I have added my ossec.conf and agent.conf , Is it possible to have a look > to see if there is something that is off ? ( i have removed the IP adress > for the agentless section) > > Thank you, > > Alex > > On Wednesday, April 13, 2016 at 10:40:00 AM UTC-4, Kat wrote: >> >> You should disable RIDS: >> >> remoted.verify_msg_id=0 >> >> The errors should go away. The problem is, RIDS must be removed on both >> agent and server, that may be causing issues. >> >> Kat >> >> On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote: >>> >>> Hi, >>> >>> >>> >>> I have been using Ossec for quite a while and we decided to upgrade the >>> version (2.7.1) to 2.8.3 and that was relatively successful except for the >>> fact that it pulled a number on my Ossec.conf by creating indent problems >>> and adding open brackets in the wrong area but anyway it works. My issue is >>> that for the moment our client will not update the OSSEC agents and wish to >>> keep the 2.7.1 , I have not seen any documentation that would indicate a >>> compatibility issue however I noticed that no matter what I do , the agents >>> will end up disconnecting. They will start out all active and then after 20 >>> minutes or so they will all be disconnected except for a small minority. >>> >>> >>> >>> When I performed the install I have set the maximum number of agents to >>> 4096 because the client has about … I would say close to 3000 agents, >>> furthermore the installation did go well however I suspect that the >>> agent.conf file in the shared folder got messed up due to this update being >>> very significant. I have been working on this issue for at least three days >>> and I am no longer certain where to look. >>> >>> >>> >>> I would like to specify that I have already tried to erase the RIDS >>> while Ossec Is stop (server) and when I start it back up again the same >>> issue occurs. Now I am hoping the solution will not be to erase the rids >>> from the client as it would be a long process for our customer. >>> >>> >>> >>> Thank you, >>> >>> >>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.