Random OSSEC Agents Offline
21 views
Skip to first unread message
Quintin Beukes
Jul 19, 2016, 10:13:50 AM7/19/16
to ossec-list
Hi,
A few days ago some of my OSSEC agents started going offline and stop sending alerts, and then a long while after come back online again like nothing's wrong. Restarting the agents don't help fix the offline status. This affects both agents running through a router/firewall to reach the server, and agents running in the same subnet as the server.
I removed all iptables filters and did a tcpdump on both offline and online agents, but couldn't notice anything out of the ordinary.
Here are packets from an offline agent showing successful traffic from server to client and vice versa, as well as some curious port unreachable errors. Even though there is traffic, the agent shows as offline and no alerts are generated for events on this agent.
OSSEC Server IP: 10.10.12.171
Agent IP: 10.10.13.8
agent_control -l:
ID: 019, Name: devjerm1, IP: 10.10.13.8, Disconnected
tcpdump:
15:47:36.515777 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 58989 unreachable, length 109
15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73
15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 58989 unreachable, length 109
15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
15:47:36.517646 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
15:47:40.526516 IP 10.10.12.171.1514 > 10.10.13.8.58989: UDP, length 73
15:47:40.526567 IP 10.10.13.8 > 10.10.12.171: ICMP 10.10.13.8 udp port 58989 unreachable, length 109
15:47:41.518182 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
15:47:47.518732 IP 10.10.13.8.49382 > 10.10.12.171.1514: UDP, length 73
15:47:59.581518 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
15:48:07.897110 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
15:48:14.725335 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
15:48:19.395627 IP 10.10.12.171.1514 > 10.10.13.8.49382: UDP, length 73
15:48:25.521404 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
15:48:31.522261 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
15:48:35.522794 IP 10.10.13.8.59490 > 10.10.12.171.1514: UDP, length 73
Any insights are appreciated.
Quintin
João Pedro Maia
Jul 20, 2016, 3:08:34 PM7/20/16
to ossec-list
I'd like to see answers for that as well, since I have a similar problem
Reply all
Reply to author
Forward
0 new messages