[ossec-list] Re: Strange behaviour with some agents...

[David Williams <davewill@xxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel,
	I would expect the "Duplicate error" to be caused by the restore
from backup.  I'm not an ossec guru but I've seen this before and
got around it by changing the files in queue/rids on the agent.
Those files seem to be counters used as part of the messaging and I
would expect by restoring from backup, you reset those counters into
the past.
	As I said, I'm not an ossec guru and I don't know the official way
to correct this (nor can I remember exactly what did the trick for
me in the past).  If you can wait, I would expect an answer from
someone who really knows shortly.  If you are in a rush here is what
I would try first:
	Stop the agent, drop the agent from the server config (with manage
agents), add a new agent (with a new id number), restart the server,
export the new key for the agent, install the new key on the agent,
start the agent.

	If the "Waiting for permission..." agent is version 1.1 -- it may
be the same problem but logging it differently.  I'd try upgrading
that agent to 1.4 to match your others, but if you can't, I'd still
give the new agent id a shot.  With the same caveat that I'm not an
ossec guru, just trying to help out a little bit around the edges.
	I'll try to update the wiki with this (if it works for you) or with
an official fix when I see that response.
	-David

	

Daniel Rubio wrote:
> In the last days I've been having problems contacting with some ossec 
> agents, I changed some directory permissions, but after, I recovered 
> from backup, reinstalled, upgraded, re-created the agents... but some 
> agents doesn't still contact with the server.
> 
> it's a bit confusing, in the web interface, these clients doesn't appear 
> (previously I think they appeared as inactive), I look to the firewall 
> but doesn't seem to have comunication problems, I don't know what to do...
> 
> In the ossec log for one of these clients, appears (nightly 1.4 release):
> 
> 2007/10/24 11:19:21 ossec-agentd: Duplicate error:  global: 25, local: 
> 8838, saved global: 26, saved local:7118
> 2007/10/24 11:19:21 ossec-agentd(1407): Duplicated counter for 'DB'.
> 2007/10/24 11:19:21 ossec-agentd(1214): Problem receiving message from 
> 192.168.200.245.
> 2007/10/24 11:19:30 ossec-agentd: Duplicate error:  global: 25, local: 
> 8839, saved global: 26, saved local:7118
> 2007/10/24 11:19:30 ossec-agentd(1407): Duplicated counter for 'DB'.
> 2007/10/24 11:19:30 ossec-agentd(1214): Problem receiving message from 
> 192.168.200.245.
> 2007/10/24 11:19:35 ossec-agentd(4101): Waiting for server reply (not 
> started).
> 
> In other (1.1):
> 
> 2007/10/24 12:36:39 ossec-syscheckd(1702): No directory provided for 
> 'directories' element.
> 2007/10/24 12:36:39 ossec-execd(1350): Active response disabled. Exiting.
> 2007/10/24 12:36:39 ossec-syscheckd(1702): No directory provided for 
> 'directories' element.
> 2007/10/24 12:36:39 ossec-syscheckd: Syscheck disabled. Exiting.
> 2007/10/24 12:36:45 ossec-logcollector(1950): Analyzing file: 
> '/var/log/authlog'.
> 2007/10/24 12:36:45 ossec-logcollector(1950): Analyzing file: 
> '/var/log/syslog'.
> 2007/10/24 12:36:45 ossec-logcollector(1950): Analyzing file: 
> '/var/adm/messages'.
> 2007/10/24 12:36:45 ossec-logcollector: Started (pid: 4314).
> 2007/10/24 12:36:49 ossec-logcollector: Process locked. Waiting for 
> permission...
> 
> Actually, the server is a nightly 1.4 release
> 
> 
> 
> 
> 

- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHH0l3CzuSgviBh00RAtu/AJ4/FYpPkIt8quTQq1yaXcdIe1BreACfcz8e
FuINU7PtMyVO+jXmazIFEHs=
=pYQ1
-----END PGP SIGNATURE-----