Geez who would have known. I've been beating my head against the wall
trying to figure it out, worked perfectly after I removed the agent from
the server and added FQDN and CIDR to OSSEC server. Thanks for the answer!
Just wondering, was your agent on a Linux or Windows machine? In my case
it was a Windows machine.
--
Michael D. Wood
ITSecurityPros.org
www.itsecuritypros.org
On Tuesday, March 6, 2012 1:59:07 PM UTC-5, ScottyMace wrote:
I've seen this issue raised before, but never answered. There is a
firewall between the agent and server, but proper access lists are in
place. I used netcat to verify communication is working fine both
ways, for udp port 1514, and various random high ports from the server
to the client, just in case. Agent is 2.6, server is 2.5.1
(AlienVault server)
The problem even after the above:
From agent log, this message repeated:
2012/03/06 11:02:23 ossec-agentd: INFO: Using IPv4 for: 10.10.xxx.51 .
2012/03/06 11:02:24 ossec-agentd(1214): WARN: Problem receiving
message from 10.10.xxx.51.
2012/03/06 11:02:33 ossec-agentd(1214): WARN: Problem receiving
message from 10.10.xxx.51.
2012/03/06 11:02:38 ossec-agentd(1214): WARN: Problem receiving
message from 10.10.xxx.51.
2012/03/06 11:02:44 ossec-agentd(1214): WARN: Problem receiving
message from 10.10.xxx.51.
2012/03/06 11:02:44 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '10.10.xxx.51'.
Server side, list agents says the client in question has never connected.
Solution:
I did three things to get this to work:
Remove said agent from the sever
Recreate agent on server using FQDN as the host name, (originally
using short hostname) and
IP address in full CIDR format: xxx.xxx.xxx.xxx/32 (originally without
/32)
Once that was done, re-import the key into the agent box, and restart
server and agent processes. Worked fine after that.
Scott