On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz <[email protected]> wrote: > Thanks. I am seeing this in the alerts.log for the ones not connecting, I > mean they seem to be able to connect in network terms but not the OSSEC > server instance process: > ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'. > ossec-remoted(1213): WARN: Message from a.b.c.d not allowed. > > Is there something we are not doing to allow these particular agents to > connect - a key file etc? >
Is that IP an IP you expect an agent to come from? Did you duplicate IPs when adding agents in manage_agents? > > > > On Friday, 17 June 2016 08:49:28 UTC+1, Jesus Linares wrote: >> >> It should work with port 1514 UDP. First, check if you have connectivity >> between agents and manager (ping, telnet, tcpdump...) and review your >> network settings (routers, firewall rules, etc). Then, check out the >> ossec.log of each agent to see what it is the issue. >> >> On Thursday, June 16, 2016 at 6:41:10 PM UTC+2, dan (ddpbsd) wrote: >>> >>> On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz <[email protected]> wrote: >>> > We have an OSSEC server located in one particular subnet and the >>> > majority of >>> > the agents are located in the same subnet and work fine. >>> > However, we have a few OSSEC agents located in a different subnet and >>> > they >>> > are having problems being able to connect to the server. >>> > >>> > We have opened up port 1514 UDP between subnets for ingress and egress >>> > traffic. >>> > >>> > Is there anything that we should do to allow server and agent >>> > communication? >>> > >>> >>> Do you see the traffic on the server from the hosts that are having >>> issues? >>> Do the source IPs match your expectations? >>> >>> > >>> > >>> > >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
