From OSSEC Wiki

Contents 1 The communication between my agent and the server is not working. What to do? 1.1 There is a firewall between the agent and the server. 1.2 Wrong authentication keys configured (you imported a key from a different agent). 1.3 The IP address you configured the agent is different from what the server is seeing. 1.4 Step by Step -- adding the authentication keys

The communication between my agent and the server is not working. What to do?

There are multiple reasons for it to happen. First, you should look at your agent and server logs to see what they say.
If you don't know where they are, go to our Troubleshooting page for more information.

In addition to that, follow the step by step at the end, if you need to add/re-add the authentication keys.

There is a firewall between the agent and the server.

If you have the following message on the agent log:

2007/04/19 12:42:54 ossec-agentd(4101): Waiting for server reply (not started).
2007/04/19 12:43:10 ossec-agentd(4101): Waiting for server reply (not started).
2007/04/19 12:43:41 ossec-agentd(4101): Waiting for server reply (not started).
2007/04/19 12:44:27 ossec-agentd(4101): Waiting for server reply (not started).

And nothing on the server log, you probably have a firewall between the two devices. Make sure to open port 1514 UDP between them (keeping state --the agent connects to the server and expects a reply back).

*The way the agent/server communication works is that the agent starts a connection to the server using any random high port. So, the only port that OSSEC opens is in the server side (port 1514 UDP). It works similar to DNS, where the DNS client connects to UDP port 53 and expects a reply back.

Wrong authentication keys configured (you imported a key from a different agent).

If that's the case, you would be getting logs similar to the above on the agent and the following on the server (see also Errors:1403):

2007/05/23 09:27:35 ossec-remoted(1403): Incorrectly formated message from 'xxx.xxx.xxx.xxx'.
2007/05/23 09:27:35 ossec-remoted(1403): Incorrectly formated message from 'xxx.xxx.xxx.xxx'.

The IP address you configured the agent is different from what the server is seeing.

Same as above (see also see Errors:1403).

Step by Step -- adding the authentication keys

For most of the errors (except the firewall issue), removing and re-adding the authentication keys
fix the problem. Do the following if you are having issues:

1-'Stop the server and the agent.
1.1 - Make sure they are really stopped (ps on Unix or sc query ossecsvc on Windows)

2-Run the manage-agents tool on the server and remove the agent.
3-Still on the server, add the agent using manage-agents. Make sure the IP is correct.
4-Start the server.
5-Run manage-agents on the agent and import the newly generated key.
6-Start the agent.

If after that, it still doesn't work, contact our mailing list for help.