[ossec-list] problems registering agents

Hi, My client has a highly dynamic environment and we're using OSSEC (wazuh 1.1.1 release, OSSEC v2.8). When a server spins up, it registers itself as an agent to the servers authd and everything was going ok. However, my client.keys file is now 2048 lines long and no new agents can register.

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

You can't use ossec-logtest for rootcheck events. For example, if I get the full_log of a real alert: "File '/usr/local/nsis/nsis-3.0b2-src/Contrib/Language files/Valencian.nlf' is owned by root and has written permissions to anyone." and I paste it in logtest: *Phase 1: Completed pre-decoding

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

Hi Fredrik, Can you see in logs/active-responses.log any new row regarding ( agent-ossec.com)? Could you share and from etc/ossec.conf regarding slack notification?, thanks. Regards, On Sun, May 21, 2017 at 4:18 PM, Fredrik Hilmersson < f.hilmers...@worldclearing.org> wrote: > I set up a OSS

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

Hello Miguelangel! I do not see any new rows regarding the agent-ossec.com (within the host active-response.log, only in the alerts.log). Here's what you asked for from the ../etc/ossec.conf (server host) ossec-slack ossec-slack.sh no

[ossec-list] Re: problems registering agents

Hi, as you mentioned, it seems that inactive agents are counting for the limit (2048 agents). Run the following commands in order to know the size of the *client.keys *file: - Total lines: cat /var/ossec/etc/client.keys | wc -l - Active agents: cat /var/ossec/etc/client.keys | grep -P "^

Re: [ossec-list] OSSEC slack alerts for agents v2.9.0

Hi Fredrik, check out the documentation about *integrator* : https://documentation.wazuh.com/current/user-manual/manager/output-options/manual-integration.html I hope it helps. Regards. On Monday, May 22, 2017 at 4:53:56 PM UTC+2, Fredrik Hilmersson wrote: > > Hello Miguelangel! > > I do not se

Re: [ossec-list] Re: problems registering agents

I deleted some of the lines starting with bang (!) but that didn't clear up the problem. My client.keys is now smaller than 2048, but I still can't add agents. I was able to duplicate this problem on a fresh install in vagrant. Using the bin/manage_agents command I was able to add over 4k clients (

Re: [ossec-list] Re: problems registering agents

Hi, it is a known issue in that version (1.1.1). It is related with the algorithm that assigns an agent ID. This issue is fixed in Wazuh 2.0. Also, you can use the API to register agents remotely: 1.1.1 and 2.0

Re: [ossec-list] Re: Rule 510 is triggering events but logtest is not showing any rules that should be triggered

Aha, thanks for the insights, that makes sense. I've changed the \.* into \S* and restarted everything. It seems to work! Thanks for your help! Cheers, Gert On Tuesday, May 23, 2017 at 1:35:58 AM UTC+12, Jesus Linares wrote: > > You can't use ossec-logtest for rootcheck events. For example, if I