Are you sure that isn't how one way agents always show up? I have no
idea, I don't like that option. Was the manager updated recently
(maybe the one way comms setting has to be set on the manager and
someone forgot to set it)?
You can try:
Turn off the firewall on the manager.
Run the manager's ossec processes in debug mode, look for errors again.
Double check to make sure logs aren't making it to the manager (you
can even turn on the log all option to triple check).
On Tue, Mar 27, 2012 at 4:19 PM, Alisha Kloc wrote:
> Hi list,
>
> I've got a thorny problem that I'm hoping will turn out to be a simple
> one. Our OSSEC Manager refuses to see the one agent currently
> connected to it. It's been connected in the past, and the manager
> remembers this - the agent shows as "disconnected" in agent_control
> rather than "never connected" - but for some reason it won't connect
> now.
>
> Compounding the problem is that we're using one-way agents, which
> don't require communication from the manager to start. So we don't get
> feedback in the agent logs about what the problem might be.
>
> Using Wireshark, we've determined that UDP packets from our agent host
> machine are reaching our OSSEC manager machine, addressed to our OSSEC
> port, but we can't figure out what's happening after they show up that
> is causing our manager to ignore them.
>
> I've checked the following: iptables (port is open), ifconfig
> (interface is up and running; other communication works fine over it),
> OSSEC agent and manager configs (agent is pointed at the right port/
> IP; manager is listening on the right port), OSSEC manager logs (no
> errors that would indicate a bad client.keys or RIDS problem), and
> OSSEC agent logs (again, no errors, but it's a one-way agent). I've
> restarted everything a couple of times, cleared the RIDS, etc. There
> are no other machines currently on this subnet, so I can't test other
> agents.
>
> Anyone have any idea where else I can look, or what the problem might
> be?
>
> Thanks!
> -Alisha Kloc
