Has anyone found anything with this - I have the exact same problem -
there has got to be something that is known about this. All my Windoze
agents work fine, but I have lost every single UNIX/Linux agent and
for no reason other than the same silly
WARN: Waiting for server reply (not started).
What OS/distro/revision are you using on your manager system?
Daniel Cid has offered to help track it down, but he needs access to a
system showing this issue.
dan
On May 4, 2011 11:56 AM, Kat uncommon...@gmail.com wrote:
Has anyone found anything with this - I have the exact same problem -
RHEL 5.3
Only special update is PHP 5.3, which would have nothing to do with
OSSEC, but mentioning it.
I would be happy to supply some debug info.
It was working flawlessly when first installed, then they just started
dropping off. Agents are a mixture of AIX 6.1 , RHEL 5.3 and Solaris
10
The
PS - I can packet capture on both ends - what would you want to see???
On May 4, 11:11 am, Kat uncommon...@gmail.com wrote:
RHEL 5.3
Only special update is PHP 5.3, which would have nothing to do with
OSSEC, but mentioning it.
I would be happy to supply some debug info.
It was working
Kat,
Is ossec-analysisd using a high percentage of CPU (more than 5%)?
That was what I experienced. Since I upgraded to CentOS (RHEL) 5.6, I
haven't seen the issue again.
Thanks,
--
Doug Burks, GSE, CISSP
President, Greater Augusta ISSA
http://augusta.issa.org
http://securityonion.blogspot.com
I'm trying to find a CentOS 5.2 or 5.3 ISO right now to see if I can
reproduce this. No luck so far.
I don't think it's a packet thing, I think one of the components in
ossec-analysisd is interacting poorly with something in CentOS that
was updated (to a version that doesn't have a problem with
Perhaps this is the kicker to help figure this out:
tcpdump on the ossec-server - watching the system agent attempt to
connect. But there are no firewalls in place anyway, just a router.
And the weird part is - another box, 10.15.58.62 works - and has been
- but I know if I restart it, it will
Thanks for the heads up. I think I may have a copy of 5.5. I don't
remember having an issue like that, but it's been a while.
On Wed, May 4, 2011 at 2:27 PM, Doug Burks doug.bu...@gmail.com wrote:
I experienced the issue with CentOS 5.5, which may be easier to find
than 5.2 or 5.3.
Thanks,
It's entirely possible you never experienced it on 5.5. I had a four
or five different servers on RHEL/CentOS 5.5 and only 2 of them
exhibited this behavior. These 2 were the busiest OSSEC servers I
had, so it could be related to number of agents and/or alerts. But
again, both of these servers