Atomicorp

Security for Everyone
https://forums.atomicorp.com/

Another agent disconnect issue

https://forums.atomicorp.com/viewtopic.php?t=9036

Page 1 of 1

Another agent disconnect issue

Posted: Tue Dec 14, 2021 2:13 pm
by mhhall3
I am having some difficulty getting some clients to connect to my Ossec server. Have confirmed that correct IP address is in place on client (and removed from log below). Server is accepting connections from other clients. I have tried to remove the /var/ossec/queue/ossec/.wait file to clear what appears to be errors below for Process being locked. I've tried enabling debugging info (=1) in etc/internal_options.conf .

Was hoping for someone to recognize issue, or suggest further ways to obtain info on issue.
Thanks, Mike



Code: Select all

2021/12/14 12:52:16 ossec-logcollector: INFO: Started (pid: 1199315).
2021/12/14 12:52:22 ossec-logcollector: WARN: Process locked. Waiting for permission...
2021/12/14 12:52:31 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'ossec-serverIP'.
2021/12/14 12:52:33 ossec-agentd: INFO: Trying to connect to server ossec-serverIP, port 1514.
2021/12/14 12:52:33 INFO: Connected to ossec-serverIP at address ossec-serverIP, port 1514
2021/12/14 12:52:33 ossec-agentd [dns]: DEBUG: n == 0
2021/12/14 12:52:33 ossec-agentd: WARN: n == 0
2021/12/14 12:52:33 ossec-agentd: DEBUG: agt->sock: 15
2021/12/14 12:52:54 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'ossec-serverIP'.
2021/12/14 12:53:14 ossec-agentd: INFO: Trying to connect to server ossec-serverIP, port 1514.
2021/12/14 12:53:14 INFO: Connected to ossec-serverIP at address ossec-serverIP, port 1514
2021/12/14 12:53:14 ossec-agentd [dns]: DEBUG: n == 0
2021/12/14 12:53:14 ossec-agentd: WARN: n == 0
2021/12/14 12:53:14 ossec-agentd: DEBUG: agt->sock: 18
2021/12/14 12:53:16 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2021/12/14 12:53:16 ossec-syscheckd: WARN: Process locked. Waiting for permission...
2021/12/14 12:53:35 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'ossec-serverIP'.

Re: Another agent disconnect issue

Posted: Thu Dec 16, 2021 9:39 am
by cponton
Please verify that the auth key on the client matches the corresponding agent ID on the HUB

https://www.ossec.net/docs/manual/agent ... sec-server

Re: Another agent disconnect issue

Posted: Thu Dec 16, 2021 11:16 am
by mhhall3
I have checked to confirm that the client.key is installed and matches on both server and client.
I'm seeing this on a small percentage of my systems (>5%).
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited