Duplicated counter
344 views
Skip to first unread message
Abdulvehhab Agin
May 11, 2016, 4:33:00 PM5/11/16
to ossec-list
Hi,
Sometimes ossec server says "ERROR: Duplicated counter for" errors. Especially we have mass log, and log sending protocol is UDP, so rids counter' agent and server sometimes inconsistent;
When i see this error, I see the agent is inactive. After this; agent wont send any logs.
How can i solve this problem?
OSSEC version 2.8.3
Pedro S
May 12, 2016, 3:37:15 AM5/12/16
to ossec-list
Hi,
If multiple agents are using the same key, you need to set them up with their own unique key.
If you re-installed an agent and didn't backup the rids files, you should create a new key for the agent and use that.
If you re-installed an agent and didn't backup the rids files, you should create a new key for the agent and use that.
If you prefer to avoid any counters error, try to deactivate counters, open file etc/internal_options.conf (Manager & Agent) and set verify_msg_id=0.
Regards,
Pedro S.
Regards,
Pedro S.
Abdulvehhab Agin
May 12, 2016, 3:44:43 PM5/12/16
to ossec-list
Thanks for interest
12 Mayıs 2016 Perşembe 10:37:15 UTC+3 tarihinde Pedro S yazdı:
12 Mayıs 2016 Perşembe 10:37:15 UTC+3 tarihinde Pedro S yazdı:
Abdulvehhab Agin
May 13, 2016, 7:37:10 AM5/13/16
to ossec-list
When i change verify_msg_id=0; i have lots of error in ossec log
2016/05/13 14:33:17 ossec-agent: ERROR: Could not move (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)
2016/05/13 14:33:17 ossec-agent: ERROR: Could not move (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)
2016/05/13 14:33:17 ossec-agent: ERROR: Could not move (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)
12 Mayıs 2016 Perşembe 10:37:15 UTC+3 tarihinde Pedro S yazdı:
Hi,
Pedro Sanchez
May 13, 2016, 9:53:20 AM5/13/16
to ossec...@googlegroups.com
Hi,
I don't think verify_msg will be related with those errors.
It seems like those files (EventChannel bookmarks) not longer exist in tmp folder or OSSEC does not have enough permissions, try to reinstall the agent.
If you prefer, paste here your EventChannel queries so I can test them in my labs.
Best regards,
Pedro S.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Pedro S
May 13, 2016, 12:57:57 PM5/13/16
to ossec-list
Just to be sure, the variable I was talking about is:
Best regards,
# Verify msg id (set to 0 to disable it)
remoted.verify_msg_id=1
At /var/ossec/etc/internal_options.conf
Pedro S.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
Abdulvehhab Agin
May 13, 2016, 6:42:28 PM5/13/16
to ossec...@googlegroups.com
System is windows and i use lastest stable version 2.8.3; so it is located at c:\program files (x86)\ossec\
When remoted.verify_msg_id = 0, Errors appear;
When remoted.verify_msg_id = 0, there is no error.
I think that problem is slash direction; tmp\Security-a06404 will be solve this problem
Could not move (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
"If you prefer, paste here your EventChannel queries so I can test them in my labs."
I am at home after two day i will be paste;
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/3GaJms4Mdg8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
Abdulvehhab Agin
May 16, 2016, 8:07:57 AM5/16/16
to ossec-list
Hi Pedro,
13 Mayıs 2016 Cuma 19:57:57 UTC+3 tarihinde Pedro S yazdı:
My ossec.conf and internal_options.conf is attached.
I set remoted.verify_msg_id=0 to ignore Duplicated error
13 Mayıs 2016 Cuma 19:57:57 UTC+3 tarihinde Pedro S yazdı:
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Pedro S
May 18, 2016, 10:58:14 AM5/18/16
to ossec-list
Hi,
Your configuration is working properly on my environment, what Windows version are you running?
EventChannel Bookmark identifies an event in a channel or log file, bookmarks are created by OSSEC in order to subscribe to a event list.
I can see on my lab how the bookmark is created first on tmp/ folder and then it is moved to bookmarks/ folder.
Tracing your errors, first one prompts when OSSEC try to rename the bookmark tmp file, function rename_ex (1 & 2), second error is a consequence of the first error.
I can assume the file not longer exist on that folder or OSSEC does not have enough permissions to move/rename it, try to run uninstall.exe and start from scratch installing again OSSEC, if does not work, try to grant permissions to group "Administrators".
Best regards,
Pedro S.
Reply all
Reply to author
Forward
0 new messages