Tried this also. Didn't work. My agents are Windows 2008. I don't
believe this has anything to do with it as the Windows boxes on the
same subnet as the server are getting responses back from the server.
On Jan 26, 1:57 pm, Kat uncommon...@gmail.com wrote:
I keep seeing these from more than one
On the server I see the following via tcpdump -ni eth3 'port 1514'
10:21:19.752015 IP 10.100.10.21.55493 10.100.10.11.fujitsu-dtcns:
UDP, length 73
10:21:25.752227 IP 10.100.10.21.55493 10.100.10.11.fujitsu-dtcns:
UDP, length 73
I'm reluctant to install wireshark on the agent at this point. No
On Jan 26, 2012, at 9:26 AM, Steve Kuntz stephen.ku...@gmail.com wrote:
I'm reluctant to install wireshark on the agent at this point.
It may be your quickest path to a resolution, though. That or a span/mirror
port on the switch.
Check the routing table on the server to see how traffic is
I keep seeing these from more than one person - with over 6000 agents
in 3 DC's I can tell you I have found the quickest solution:
1. Although this is frowned upon - on the agents - wipe /var/ossec/
queue/rids/ on each of the offending agents
2. find the agent ID in the same folder on the
Check the ossec.log file on the server? Just curious if there's any
issue there.
Else, you'll probably have to enable debugging on both sides to see
whats going on.
On Jan 26, 8:56 am, Scott VR scot...@s0cialpath.net wrote:
On Jan 26, 2012, at 9:26 AM, Steve Kuntz stephen.ku...@gmail.com wrote:
Could it be because you have multiple source IPs?
Try creating a new agent on the server and use the subnet.
manage_agents, a, hostname, 192.168.1.0/24, y.
Then import the new key generated and see if that helps. That would
confirm source IP origination is the problem.
Else, use wireshark or