Re: [ossec-list] Irregular Agent Activity in OSSEC agents

[eyal gershon]

Hey Eero,

>From examining the server - 
Both disk speed and network should not be a problem,
but I did notice a shortage of Available RAM (around 300 MB left).
Ill make the changes tomorrow and add more RAM and update if it was the 
case.

On Wednesday, July 20, 2016 at 10:47:41 PM UTC+3, Eero Volotinen wrote:
>
> Are you running out of network or disk speed?
>
> Eero
>
> 20.7.2016 10.39 ip. "eyal gershon"  
> kirjoitti:
>
>> Hey Jose,
>>
>> There was no update or upgrade done.
>> I performed the procedure you mentioned before but the results stayed the 
>> same.
>>
>> I have around 1600 servers and 400 who do not connect.
>>
>> Do you have any other idea on why this happens?
>> Or any thing else I can test?
>>
>>
>> On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz > > wrote:
>>
>>> Hi Eyal,
>>>
>>> ​
>>>
>>> this is a familiar problem that we have come across in the past as well. 
>>> The counter of the rids file can run out of sync, if the manager and the 
>>> respective agent have troubles exchanging control messages.
>>>
>>> Have you perhaps reinstalled the manager or one of the agents recently?
>>>
>>> ​
>>>
>>> You can fix your problem by following the below steps:
>>>
>>> ​
>>>
>>>   1.  On every agent:
>>>
>>> ​
>>>
>>>  1.   stop ossec
>>>
>>>  2.   go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and 
>>> remove every file in there.
>>>
>>> ​
>>>
>>>2. Go to the server:
>>>
>>> ​
>>>
>>>   1.  Stop ossec
>>>
>>>   2.  Remove the rids file with the same name as the agent id that is 
>>> reporting errors.
>>>
>>> ​
>>>
>>>3. Restart the server
>>>
>>>4. Restart the agents.
>>>
>>> ​
>>>
>>> If you have reinstalled one of your machines recently, then we recommend 
>>> that you use the update option. Do not remove and reinstall the ossec 
>>> server, unless you plan to do the same for all agents.
>>>
>>> Just a heads up, please refrain from using the same agent key between 
>>> multiple agents, or the same agent key after you removed/re-installed an 
>>> agent….
>>>
>>>
>>> Reference: 
>>> http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors
>>>
>>>
>>> Regards
>>> ---
>>> Jose Luis Ruiz
>>> Wazuh Inc.
>>> jo...@wazuh.com 
>>>
>>> On July 20, 2016 at 11:54:41 AM, eyal gershon (gersh...@gmail.com 
>>> ) wrote:
>>>
>>> Hey Everyone, 
>>>
>>> I am noticing some irregular activity in some of my OSSEC agents - 
>>>
>>> *A little bit about the system - *
>>>
>>> My Deployment is on 2000~ servers managed from dedicated ossec manager.
>>> I currently have 1600~ agents connected on a full basis and 400~ servers 
>>> who connect and disconnect all the time.
>>>
>>> All the ports are opened (confirmation with NC and telnet)
>>>
>>> On my management server I see the following error in the logs - 
>>>
>>> 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for 
>>> '**'.
>>> 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error:  global: 
>>>
>>>
>>> I checked the /var/ossec/queue/rids and made sure there is only a single 
>>> entry in there and that entry is the same on both host and Management.
>>> I made a double check and also compared client.keys on both servers,Same 
>>> Key and same Entry on both servers.
>>>
>>>
>>> I did a key exchange manually between both servers just to make sure 
>>> Nothing was wrong in that section.
>>> Same error.
>>>
>>>
>>> Does anyone have an idea on how to continue?
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+...@googlegroups.com .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Irregular Agent Activity in OSSEC agents

[Eero Volotinen]

Are you running out of network or disk speed?

Eero

20.7.2016 10.39 ip. "eyal gershon"  kirjoitti:

> Hey Jose,
>
> There was no update or upgrade done.
> I performed the procedure you mentioned before but the results stayed the
> same.
>
> I have around 1600 servers and 400 who do not connect.
>
> Do you have any other idea on why this happens?
> Or any thing else I can test?
>
>
> On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz  wrote:
>
>> Hi Eyal,
>>
>> ​
>>
>> this is a familiar problem that we have come across in the past as well. The 
>> counter of the rids file can run out of sync, if the manager and the 
>> respective agent have troubles exchanging control messages.
>>
>> Have you perhaps reinstalled the manager or one of the agents recently?
>>
>> ​
>>
>> You can fix your problem by following the below steps:
>>
>> ​
>>
>>   1.  On every agent:
>>
>> ​
>>
>>  1.   stop ossec
>>
>>  2.   go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and 
>> remove every file in there.
>>
>> ​
>>
>>2. Go to the server:
>>
>> ​
>>
>>   1.  Stop ossec
>>
>>   2.  Remove the rids file with the same name as the agent id that is 
>> reporting errors.
>>
>> ​
>>
>>3. Restart the server
>>
>>4. Restart the agents.
>>
>> ​
>>
>> If you have reinstalled one of your machines recently, then we recommend 
>> that you use the update option. Do not remove and reinstall the ossec 
>> server, unless you plan to do the same for all agents.
>>
>> Just a heads up, please refrain from using the same agent key between 
>> multiple agents, or the same agent key after you removed/re-installed an 
>> agent….
>>
>>
>> Reference:
>> http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors
>>
>>
>> Regards
>> ---
>> Jose Luis Ruiz
>> Wazuh Inc.
>> j...@wazuh.com
>>
>> On July 20, 2016 at 11:54:41 AM, eyal gershon (gershon...@gmail.com)
>> wrote:
>>
>> Hey Everyone,
>>
>> I am noticing some irregular activity in some of my OSSEC agents -
>>
>> *A little bit about the system - *
>>
>> My Deployment is on 2000~ servers managed from dedicated ossec manager.
>> I currently have 1600~ agents connected on a full basis and 400~ servers
>> who connect and disconnect all the time.
>>
>> All the ports are opened (confirmation with NC and telnet)
>>
>> On my management server I see the following error in the logs -
>>
>> 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for
>> '**'.
>> 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error:  global:
>>
>>
>> I checked the /var/ossec/queue/rids and made sure there is only a single
>> entry in there and that entry is the same on both host and Management.
>> I made a double check and also compared client.keys on both servers,Same
>> Key and same Entry on both servers.
>>
>>
>> I did a key exchange manually between both servers just to make sure
>> Nothing was wrong in that section.
>> Same error.
>>
>>
>> Does anyone have an idea on how to continue?
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Irregular Agent Activity in OSSEC agents

[eyal gershon]

Hey Jose,

There was no update or upgrade done.
I performed the procedure you mentioned before but the results stayed the
same.

I have around 1600 servers and 400 who do not connect.

Do you have any other idea on why this happens?
Or any thing else I can test?


On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz  wrote:

> Hi Eyal,
>
> ​
>
> this is a familiar problem that we have come across in the past as well. The 
> counter of the rids file can run out of sync, if the manager and the 
> respective agent have troubles exchanging control messages.
>
> Have you perhaps reinstalled the manager or one of the agents recently?
>
> ​
>
> You can fix your problem by following the below steps:
>
> ​
>
>   1.  On every agent:
>
> ​
>
>  1.   stop ossec
>
>  2.   go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and 
> remove every file in there.
>
> ​
>
>2. Go to the server:
>
> ​
>
>   1.  Stop ossec
>
>   2.  Remove the rids file with the same name as the agent id that is 
> reporting errors.
>
> ​
>
>3. Restart the server
>
>4. Restart the agents.
>
> ​
>
> If you have reinstalled one of your machines recently, then we recommend that 
> you use the update option. Do not remove and reinstall the ossec server, 
> unless you plan to do the same for all agents.
>
> Just a heads up, please refrain from using the same agent key between 
> multiple agents, or the same agent key after you removed/re-installed an 
> agent….
>
>
> Reference:
> http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> j...@wazuh.com
>
> On July 20, 2016 at 11:54:41 AM, eyal gershon (gershon...@gmail.com)
> wrote:
>
> Hey Everyone,
>
> I am noticing some irregular activity in some of my OSSEC agents -
>
> *A little bit about the system - *
>
> My Deployment is on 2000~ servers managed from dedicated ossec manager.
> I currently have 1600~ agents connected on a full basis and 400~ servers
> who connect and disconnect all the time.
>
> All the ports are opened (confirmation with NC and telnet)
>
> On my management server I see the following error in the logs -
>
> 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for
> '**'.
> 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error:  global:
>
>
> I checked the /var/ossec/queue/rids and made sure there is only a single
> entry in there and that entry is the same on both host and Management.
> I made a double check and also compared client.keys on both servers,Same
> Key and same Entry on both servers.
>
>
> I did a key exchange manually between both servers just to make sure
> Nothing was wrong in that section.
> Same error.
>
>
> Does anyone have an idea on how to continue?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Irregular Agent Activity in OSSEC agents

[Jose Luis Ruiz]

Hi Eyal,

​

this is a familiar problem that we have come across in the past as
well. The counter of the rids file can run out of sync, if the manager
and the respective agent have troubles exchanging control messages.

Have you perhaps reinstalled the manager or one of the agents recently?

​

You can fix your problem by following the below steps:

​

  1.  On every agent:

​

 1.   stop ossec

 2.   go to: .../ossec/queue/rids (or ossec-agent/rids on Windows)
and remove every file in there.

​

   2. Go to the server:

​

  1.  Stop ossec

  2.  Remove the rids file with the same name as the agent id that
is reporting errors.

​

   3. Restart the server

   4. Restart the agents.

​

If you have reinstalled one of your machines recently, then we
recommend that you use the update option. Do not remove and reinstall
the ossec server, unless you plan to do the same for all agents.

Just a heads up, please refrain from using the same agent key between
multiple agents, or the same agent key after you removed/re-installed
an agent….


Reference:
http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors


Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On July 20, 2016 at 11:54:41 AM, eyal gershon (gershon...@gmail.com) wrote:

Hey Everyone,

I am noticing some irregular activity in some of my OSSEC agents -

*A little bit about the system - *

My Deployment is on 2000~ servers managed from dedicated ossec manager.
I currently have 1600~ agents connected on a full basis and 400~ servers
who connect and disconnect all the time.

All the ports are opened (confirmation with NC and telnet)

On my management server I see the following error in the logs -

2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for
'**'.
2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error:  global:


I checked the /var/ossec/queue/rids and made sure there is only a single
entry in there and that entry is the same on both host and Management.
I made a double check and also compared client.keys on both servers,Same
Key and same Entry on both servers.


I did a key exchange manually between both servers just to make sure
Nothing was wrong in that section.
Same error.


Does anyone have an idea on how to continue?
--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Irregular Agent Activity in OSSEC agents

[eyal gershon]

Hey Everyone,

I am noticing some irregular activity in some of my OSSEC agents - 

*A little bit about the system - *

My Deployment is on 2000~ servers managed from dedicated ossec manager.
I currently have 1600~ agents connected on a full basis and 400~ servers 
who connect and disconnect all the time.

All the ports are opened (confirmation with NC and telnet)

On my management server I see the following error in the logs - 

2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for 
'**'.
2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error:  global: 


I checked the /var/ossec/queue/rids and made sure there is only a single 
entry in there and that entry is the same on both host and Management.
I made a double check and also compared client.keys on both servers,Same 
Key and same Entry on both servers.


I did a key exchange manually between both servers just to make sure 
Nothing was wrong in that section.
Same error.


Does anyone have an idea on how to continue?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.