Geez who would have known. I've been beating my head against the wall trying to figure it out, worked perfectly after I removed the agent from the server and added FQDN and CIDR to OSSEC server. Thanks for the answer!
Just wondering, was your agent on a Linux or Windows machine? In my case it was a Windows machine. -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org On Tuesday, March 6, 2012 1:59:07 PM UTC-5, ScottyMace wrote: > > I've seen this issue raised before, but never answered. There is a > firewall between the agent and server, but proper access lists are in > place. I used netcat to verify communication is working fine both > ways, for udp port 1514, and various random high ports from the server > to the client, just in case. Agent is 2.6, server is 2.5.1 > (AlienVault server) > > The problem even after the above: > From agent log, this message repeated: > 2012/03/06 11:02:23 ossec-agentd: INFO: Using IPv4 for: 10.10.xxx.51 . > 2012/03/06 11:02:24 ossec-agentd(1214): WARN: Problem receiving > message from 10.10.xxx.51. > 2012/03/06 11:02:33 ossec-agentd(1214): WARN: Problem receiving > message from 10.10.xxx.51. > 2012/03/06 11:02:38 ossec-agentd(1214): WARN: Problem receiving > message from 10.10.xxx.51. > 2012/03/06 11:02:44 ossec-agentd(1214): WARN: Problem receiving > message from 10.10.xxx.51. > 2012/03/06 11:02:44 ossec-agentd(4101): WARN: Waiting for server reply > (not started). Tried: '10.10.xxx.51'. > > Server side, list agents says the client in question has never connected. > > Solution: > I did three things to get this to work: > Remove said agent from the sever > Recreate agent on server using FQDN as the host name, (originally > using short hostname) and > IP address in full CIDR format: xxx.xxx.xxx.xxx/32 (originally without > /32) > > Once that was done, re-import the key into the agent box, and restart > server and agent processes. Worked fine after that. > > Scott > >