Hi, I'm trying to troubleshoot not connecting OSSEC agents 3.6 running on Centos 7, with a Server running Ossec 3.6 on Ubuntu 20.04. I end up with the repeating sequence on agent log:
2022/10/13 23:22:21 ossec-agentd: INFO: Trying to connect to server 10.0.7.243, port 1514. 2022/10/13 23:22:21 INFO: Connected to 10.0.7.243 at address 10.0.7.243, port 1514 2022/10/13 23:22:21 ossec-agentd: DEBUG: agt->sock: 54 2022/10/13 23:22:42 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: '10.0.7.243'. I have two Centos 7 agents and one Ubuntu 18.04. The Ubuntu agent is just working fine and gets connected. 1. I confirmed The secret key export/import multiple times, every time restarting both server and the client. 2. There is no connectivity issue (the Ubuntu client connects to server), the Server firewall accepts incoming UDP packets on 1514. Tcpdump on both sides server/clientCentos, indicates communication in both directions, I'm only concerned about the length of packets which is 72 bytes, while the working agent sends more bytes 3. I installed agents on Centos 7 using yum from atomic repo. I did not go the script way with installing agent because it ended up with way to many errors. With yum I started with 3.7 agent and later I downgraded it to the lowest version avail in repo, which is ossec-hids-agent-3.6.0-12032.el7.art. Every time there was an issue with /queue/rids/sender file so I need to create it by myself while importing the key. I think I'm missing some file needed for transport or there is a problem with permissions. How can I research that? Or there is an issue with the key which is not accepted by the server. How can I research that? I copy and paste it each time I tried. No mistake. I have server side log in debug mode and nothing particular about Centos7 agents improperly sending data or even connection tries. Or really the below thread indicates that ossec agent 3.6 in connection with Centos doesn't work https://github.com/ossec/ossec-hids/issues/1869 Appreciate any help. Thank you. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/648f3b9c-59bd-4e45-9a1b-1c477ac75cbfn%40googlegroups.com.
