Atomicorp

I've seen some posts about remove everything in the queue/rids folder on both the server and client. Tried that, and restarted agent and server. Immediately get duplicate counters again. So something is not right somewhere that is causing this. Would appreciate some advice and where else to look for...

Thanks. We definitely don't have any NAT going on, this is all on a local LAN. But, what do you mean by "if a key is pinned to an IP address"? I thought every client key was associated to a hostname and IP. That's not default behavior?

J

I just manually added a new client on the OSSEC server, imported the key on the client, and a few minutes later, duplicate counter now shows in the log. So could our new server be setup incorrectly or the migration was done wrong somehow? I don't really understand the underlying issue on why all the...

Thank you for the response. But if these are brand new agents, why is this necessary?

I really don't want to disable this security feature.

J

On both of our OSSEC servers, that option is set to
On our clients, it appears to be set the same. I checked and our old servers had the same option enabled.

J

Hi, Actually, no that is not what I mean. What we see are these types of errors now when adding new agents. 2022/03/17 08:29:37 ossec-remoted: WARN: Duplicate error: global: 1, local: 3154, saved global: 1, saved local:3155 2022/03/17 08:29:37 ossec-remoted(1407): ERROR: Duplicated counter for 'xxxx...

Hello, We recently updated an older OSSEC server (2.9.0) to version 3.6.0. We followed the upgrade guidelines for backing up all the OSSEC files and restoring them on the new server. The existing agents appeared to communicate just fine and are working. However, when we add a new agent on the new se...