Hi group,
I'm trying to debug why my agent's are always showing disconnected. They
would work for a bit, and then randomly stop working. Some agents will
disconnect permanently, some intermittently switch between
connected/disconnected. Any advice on how to increase logging verbosity or
why my agents are not working properly.
I enabled debugging which had no increase in logging verbosity. I did so by
editing internal_options.conf and setting
on server: remoted.debug=2 run "/var/ossec/bin/ossec-control enable debug"
and restart service
on agent: agent.debug=2, and restart service
This is happening with many agents both outside and inside the OSSEC
subnet. I disabled both iptables firewalls for this test.
Server IP: 10.10.12.171
Agent IP: 10.10.12.170
Server uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Agent uname: Linux 2.6.32-642.13.1.el6.x86_64 #1 SMP Wed Jan 11 20:56:24
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
My agent always shows disconnected:
ID: 003, Name: safetynet1, IP: 10.10.12.170, Disconnected
The ossec server log doesn't show anything related.
The ossec agent log just repeatedly shows:
-------------
2017/02/08 12:20:29 ossec-agentd: INFO: Trying to connect to server
ossec.jeoffice, port 1514.
2017/02/08 12:20:29 INFO: Connected to ossec.jeoffice at address
10.10.12.171, port 1514
2017/02/08 12:20:50 ossec-agentd(4101): WARN: Waiting for server reply (not
started). Tried: 'ossec.jeoffice'.
-------------
Content of server /etc/ossec-init.conf
-------------
DIRECTORY="/var/ossec"
VERSION="2.9.0"
DATE="Wed Jan 25 09:55:39 EST 2017"
TYPE="server"
-------------
Content of server /etc/ossec-init.conf
-------------
DIRECTORY="/var/ossec"
VERSION="2.9.0"
DATE="Wed Jan 25 09:55:39 EST 2017"
TYPE="agent"
-------------
A server tcpdump shows:
-------------
14:14:54.281902 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:14:59.280963 ARP, Request who-has 10.10.12.171 tell 10.10.12.170, length
28
14:14:59.280987 ARP, Reply 10.10.12.171 is-at f2:1e:73:71:3e:c8, length 28
14:15:00.282405 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:04.282833 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:09.283445 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:15.284415 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:32.803559 IP 10.10.12.171.1514 > 10.10.12.170.50637: UDP, length 73
-------------
An agent dump shows:
-------------
14:14:54.280480 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:00.281305 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:04.281914 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:09.282433 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:15.283291 IP 10.10.12.170.50637 > 10.10.12.171.1514: UDP, length 73
14:15:32.803186 IP 10.10.12.171.1514 > 10.10.12.170.50637: UDP, length 73
-------------
Quintin
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
