Pedro, Awesome! Your method worked flawlessly. Thanks!
Cal On Tuesday, August 2, 2016 at 8:51:59 PM UTC-4, Pedro S wrote: > > Hi Cal, > > > Try disabling counters. They lose synchronisation specially when agents > are reinstalled. > Edit /var/ossec/etc/internal_options.conf and set > "remoted.verify_msg_id=0", both agent & manager. > > Enable debug mode on both hosts, open internal_options and set debug to > level 2 (specially in remoted.debug variable). > > Sometimes the problem could be related with NAT, try adding the agent with > "any" option and test if it works (use manage_agent and when prompting for > IP enter "any"). > > Open etc/client.keys on OSSEC Manager (be careful! this file is critical) > and remove duplicated entries, the agent will fail to connect if there is > more than one entry with the same IP. > > Hope it helps, > > best regards, > > Pedro S. > > > > On Tuesday, August 2, 2016 at 2:08:14 PM UTC-7, Cal wrote: >> >> Hi all, >> >> Been debugging an issue for a few hours, thought I'd ask for another >> opinion. >> >> The situation: >> I have an OSSEC server with approximately 70 agents connected and 15 or >> so that won't connect. >> >> Tested so far: >> Tcpdump shows UDP packets from both OSSEC agents and server (running on >> non-standard port 1520) >> Traceroute from agent to server and other direction, no problem >> Can ping the server from agent >> Can ping the agent from server >> >> Ex: >> server: >> 15:51:00.135367 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length 73 >> >> agent: >> 15:51:00.135916 IP 172.28.156.XX.60625 > 172.28.29.XX.1520: UDP, length 73 >> >> I've tried re-adding the keys to agents several times. Enabled debugging >> on server, but only noted logs are from the agent: >> 2016/08/02 15:56:39 ossec-agentd: INFO: Trying to connect to server >> (172.28.29.XX:1520). >> 2016/08/02 15:56:39 ossec-agentd: INFO: Using IPv4 for: 172.28.29.XX >> >> Any ideas where to look next? I've also tried removing the agents, >> re-adding, re-installing, etc. >> >> Thank you! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.