Re: [ossec-list] Irregular Agent Activity in OSSEC agents
Hey Eero, >From examining the server - Both disk speed and network should not be a problem, but I did notice a shortage of Available RAM (around 300 MB left). Ill make the changes tomorrow and add more RAM and update if it was the case. On Wednesday, July 20, 2016 at 10:47:41 PM UTC+3, Eero Volotinen wrote: > > Are you running out of network or disk speed? > > Eero > > 20.7.2016 10.39 ip. "eyal gershon"> kirjoitti: > >> Hey Jose, >> >> There was no update or upgrade done. >> I performed the procedure you mentioned before but the results stayed the >> same. >> >> I have around 1600 servers and 400 who do not connect. >> >> Do you have any other idea on why this happens? >> Or any thing else I can test? >> >> >> On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz > > wrote: >> >>> Hi Eyal, >>> >>> >>> >>> this is a familiar problem that we have come across in the past as well. >>> The counter of the rids file can run out of sync, if the manager and the >>> respective agent have troubles exchanging control messages. >>> >>> Have you perhaps reinstalled the manager or one of the agents recently? >>> >>> >>> >>> You can fix your problem by following the below steps: >>> >>> >>> >>> 1. On every agent: >>> >>> >>> >>> 1. stop ossec >>> >>> 2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and >>> remove every file in there. >>> >>> >>> >>>2. Go to the server: >>> >>> >>> >>> 1. Stop ossec >>> >>> 2. Remove the rids file with the same name as the agent id that is >>> reporting errors. >>> >>> >>> >>>3. Restart the server >>> >>>4. Restart the agents. >>> >>> >>> >>> If you have reinstalled one of your machines recently, then we recommend >>> that you use the update option. Do not remove and reinstall the ossec >>> server, unless you plan to do the same for all agents. >>> >>> Just a heads up, please refrain from using the same agent key between >>> multiple agents, or the same agent key after you removed/re-installed an >>> agent…. >>> >>> >>> Reference: >>> http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors >>> >>> >>> Regards >>> --- >>> Jose Luis Ruiz >>> Wazuh Inc. >>> jo...@wazuh.com >>> >>> On July 20, 2016 at 11:54:41 AM, eyal gershon (gersh...@gmail.com >>> ) wrote: >>> >>> Hey Everyone, >>> >>> I am noticing some irregular activity in some of my OSSEC agents - >>> >>> *A little bit about the system - * >>> >>> My Deployment is on 2000~ servers managed from dedicated ossec manager. >>> I currently have 1600~ agents connected on a full basis and 400~ servers >>> who connect and disconnect all the time. >>> >>> All the ports are opened (confirmation with NC and telnet) >>> >>> On my management server I see the following error in the logs - >>> >>> 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for >>> '**'. >>> 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global: >>> >>> >>> I checked the /var/ossec/queue/rids and made sure there is only a single >>> entry in there and that entry is the same on both host and Management. >>> I made a double check and also compared client.keys on both servers,Same >>> Key and same Entry on both servers. >>> >>> >>> I did a key exchange manually between both servers just to make sure >>> Nothing was wrong in that section. >>> Same error. >>> >>> >>> Does anyone have an idea on how to continue? >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com . >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Irregular Agent Activity in OSSEC agents
Are you running out of network or disk speed? Eero 20.7.2016 10.39 ip. "eyal gershon"kirjoitti: > Hey Jose, > > There was no update or upgrade done. > I performed the procedure you mentioned before but the results stayed the > same. > > I have around 1600 servers and 400 who do not connect. > > Do you have any other idea on why this happens? > Or any thing else I can test? > > > On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz wrote: > >> Hi Eyal, >> >> >> >> this is a familiar problem that we have come across in the past as well. The >> counter of the rids file can run out of sync, if the manager and the >> respective agent have troubles exchanging control messages. >> >> Have you perhaps reinstalled the manager or one of the agents recently? >> >> >> >> You can fix your problem by following the below steps: >> >> >> >> 1. On every agent: >> >> >> >> 1. stop ossec >> >> 2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and >> remove every file in there. >> >> >> >>2. Go to the server: >> >> >> >> 1. Stop ossec >> >> 2. Remove the rids file with the same name as the agent id that is >> reporting errors. >> >> >> >>3. Restart the server >> >>4. Restart the agents. >> >> >> >> If you have reinstalled one of your machines recently, then we recommend >> that you use the update option. Do not remove and reinstall the ossec >> server, unless you plan to do the same for all agents. >> >> Just a heads up, please refrain from using the same agent key between >> multiple agents, or the same agent key after you removed/re-installed an >> agent…. >> >> >> Reference: >> http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors >> >> >> Regards >> --- >> Jose Luis Ruiz >> Wazuh Inc. >> j...@wazuh.com >> >> On July 20, 2016 at 11:54:41 AM, eyal gershon (gershon...@gmail.com) >> wrote: >> >> Hey Everyone, >> >> I am noticing some irregular activity in some of my OSSEC agents - >> >> *A little bit about the system - * >> >> My Deployment is on 2000~ servers managed from dedicated ossec manager. >> I currently have 1600~ agents connected on a full basis and 400~ servers >> who connect and disconnect all the time. >> >> All the ports are opened (confirmation with NC and telnet) >> >> On my management server I see the following error in the logs - >> >> 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for >> '**'. >> 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global: >> >> >> I checked the /var/ossec/queue/rids and made sure there is only a single >> entry in there and that entry is the same on both host and Management. >> I made a double check and also compared client.keys on both servers,Same >> Key and same Entry on both servers. >> >> >> I did a key exchange manually between both servers just to make sure >> Nothing was wrong in that section. >> Same error. >> >> >> Does anyone have an idea on how to continue? >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Irregular Agent Activity in OSSEC agents
Hey Jose, There was no update or upgrade done. I performed the procedure you mentioned before but the results stayed the same. I have around 1600 servers and 400 who do not connect. Do you have any other idea on why this happens? Or any thing else I can test? On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruizwrote: > Hi Eyal, > > > > this is a familiar problem that we have come across in the past as well. The > counter of the rids file can run out of sync, if the manager and the > respective agent have troubles exchanging control messages. > > Have you perhaps reinstalled the manager or one of the agents recently? > > > > You can fix your problem by following the below steps: > > > > 1. On every agent: > > > > 1. stop ossec > > 2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and > remove every file in there. > > > >2. Go to the server: > > > > 1. Stop ossec > > 2. Remove the rids file with the same name as the agent id that is > reporting errors. > > > >3. Restart the server > >4. Restart the agents. > > > > If you have reinstalled one of your machines recently, then we recommend that > you use the update option. Do not remove and reinstall the ossec server, > unless you plan to do the same for all agents. > > Just a heads up, please refrain from using the same agent key between > multiple agents, or the same agent key after you removed/re-installed an > agent…. > > > Reference: > http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors > > > Regards > --- > Jose Luis Ruiz > Wazuh Inc. > j...@wazuh.com > > On July 20, 2016 at 11:54:41 AM, eyal gershon (gershon...@gmail.com) > wrote: > > Hey Everyone, > > I am noticing some irregular activity in some of my OSSEC agents - > > *A little bit about the system - * > > My Deployment is on 2000~ servers managed from dedicated ossec manager. > I currently have 1600~ agents connected on a full basis and 400~ servers > who connect and disconnect all the time. > > All the ports are opened (confirmation with NC and telnet) > > On my management server I see the following error in the logs - > > 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for > '**'. > 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global: > > > I checked the /var/ossec/queue/rids and made sure there is only a single > entry in there and that entry is the same on both host and Management. > I made a double check and also compared client.keys on both servers,Same > Key and same Entry on both servers. > > > I did a key exchange manually between both servers just to make sure > Nothing was wrong in that section. > Same error. > > > Does anyone have an idea on how to continue? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Irregular Agent Activity in OSSEC agents
Hi Eyal, this is a familiar problem that we have come across in the past as well. The counter of the rids file can run out of sync, if the manager and the respective agent have troubles exchanging control messages. Have you perhaps reinstalled the manager or one of the agents recently? You can fix your problem by following the below steps: 1. On every agent: 1. stop ossec 2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and remove every file in there. 2. Go to the server: 1. Stop ossec 2. Remove the rids file with the same name as the agent id that is reporting errors. 3. Restart the server 4. Restart the agents. If you have reinstalled one of your machines recently, then we recommend that you use the update option. Do not remove and reinstall the ossec server, unless you plan to do the same for all agents. Just a heads up, please refrain from using the same agent key between multiple agents, or the same agent key after you removed/re-installed an agent…. Reference: http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors Regards --- Jose Luis Ruiz Wazuh Inc. j...@wazuh.com On July 20, 2016 at 11:54:41 AM, eyal gershon (gershon...@gmail.com) wrote: Hey Everyone, I am noticing some irregular activity in some of my OSSEC agents - *A little bit about the system - * My Deployment is on 2000~ servers managed from dedicated ossec manager. I currently have 1600~ agents connected on a full basis and 400~ servers who connect and disconnect all the time. All the ports are opened (confirmation with NC and telnet) On my management server I see the following error in the logs - 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for '**'. 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global: I checked the /var/ossec/queue/rids and made sure there is only a single entry in there and that entry is the same on both host and Management. I made a double check and also compared client.keys on both servers,Same Key and same Entry on both servers. I did a key exchange manually between both servers just to make sure Nothing was wrong in that section. Same error. Does anyone have an idea on how to continue? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Irregular Agent Activity in OSSEC agents
Hey Everyone, I am noticing some irregular activity in some of my OSSEC agents - *A little bit about the system - * My Deployment is on 2000~ servers managed from dedicated ossec manager. I currently have 1600~ agents connected on a full basis and 400~ servers who connect and disconnect all the time. All the ports are opened (confirmation with NC and telnet) On my management server I see the following error in the logs - 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for '**'. 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global: I checked the /var/ossec/queue/rids and made sure there is only a single entry in there and that entry is the same on both host and Management. I made a double check and also compared client.keys on both servers,Same Key and same Entry on both servers. I did a key exchange manually between both servers just to make sure Nothing was wrong in that section. Same error. Does anyone have an idea on how to continue? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.