[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Agentd waiting for server reply

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Agentd waiting for server reply
From: Chris Tankersley <chris.tankersley@xxxxxxxxxxxxxxxxx>
Date: Sat, 24 Feb 2007 23:34:00 -0500
Content-transfer-encoding: 7bit

I checked TCP dump and it was sending the requests all the way to theserver, so I deleted and readded the agent and it popped back online.Thanks!

As for the permissions, it wasn't the script. The guy who tried toinstall the WUI didn't set up the groups properly and tried manuallychmoding the queue file to 777 in the theory that the WUI would read it.OSSEC didn't like that, and refused to run after that.

Thankfully, the only issues I've ever had with OSSEC have been due toour own errors, not OSSEC itself. Thanks for the great work on this program.


Daniel Cid wrote:


Hi Chris,

I second what Nicolas said... It must be something in the keys.Remember thatossec keep track of all messages sent, so if you reinstall ossec(without doing

an upgrade), you will lose the internal counter and the server and
agent will not

be in sync anymore. Try the to remove this agent from the server andadd itback again. After that, restart the server and re-import this new keyin the

agent... It should fix the problem.

Btw, how did you get these permissions errors? The installation issupposed

to handle all that for you..

hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 2/23/07, Chris Tankersley <chris.tankersley@xxxxxxxxxxxxxxxxx> wrote:


Hello everyone.

We recently updated to 1.0 as well as installed the WUI, but had some
issues (permissions were set up incorrectly and ossec imploded) that
caused all of our agents to stop responding. I reinstalled the OSSEC
server by telling it to do an upgrade and then restarted all of the
agents, and all have come back up except for one named Fileserver. When
I check /var/ossec/logs/ossec.log I see this:

2007/02/23 16:30:28 ossec-agentd(4101): Waiting for server reply (not
started).

I tried re-importing the key as well as doing a reinstall on this

machine. If I do a nestat, I see that it makes a connection to theserver:


udp        0      0 192.168.1.10:48296
192.168.1.42:1514            ESTABLISHED 9172/ossec-agentd


There are no firewalls  between the two machines, and any time that
we've done upgrades we've always done the upgrade option instead of
blowing out ossec and starting from scratch.

Any help would be appreciated.

Chris

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

References:
- [ossec-list] Re: Problems faced with OSSEC.
  - From: Pankaj P. Pawar
- [ossec-list] Agentd waiting for server reply
  - From: Chris Tankersley
- [ossec-list] Re: Agentd waiting for server reply
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Separate email_to addresses per agent?
Next by Date: [ossec-list] no send alert
Previous by thread: [ossec-list] Re: Agentd waiting for server reply
Next by thread: [ossec-list] Re: /etc/client.keys not found
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.