SOLVED Re: [ossec-list] Invalidate all old clients

[sandeep dubey]

Hi, 

Thanks for all the help. Following steps resolved the issue. 

0. removing the client.keys file, and the files in queue/rids, queue/agent-info queue/syscheck and queue/rootcheck

1. stopped ossec services on agent

2. purged ossec

3. removed all ossec references, directories.

4. reinstalled ossec agent

On Thu, Feb 4, 2016 at 1:40 AM, Pedro S <pe...@wazuh.com> wrote:

Hi,

ossec-remoted should start by itself, if not, usually is because you don't have any agents added. Try to run bin/manage_agents, add an example agent, restart OSSEC and remoted should start.

Check client.keys to verify if this "example agent" was added. Check permissions of folders etc/ and queue/.

On Wednesday, February 3, 2016 at 5:57:44 AM UTC+1, sandeep wrote:

Hi Santiago,

Thanks for the reply. 

I removed all the old files from the path you mentioned and restarted both master and agent services. Below are the logs i see - 

On Master - 

2016/02/03 04:50:43 ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'xxx.xxx.xxx.xxx'.

2016/02/03 04:50:49 ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'xxx.xxx.xxx.xxx'.

On Agent - 

2016/02/03 04:48:35 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'ossec.druva.com/yyy.yyy.yyy.yyy'.

2016/02/03 04:49:31 ossec-agentd: INFO: Trying to connect to server (ossec.druva.com/yyy.yyy.yyy.yyy:1514).

2016/02/03 04:49:31 ossec-agentd: INFO: Using IPv4 for: yyy.yyy.yyy.yyy.

I am trying this on AWS EC2 setup, Port 1514 is open and server is listening on same UDP port. OS is Ubuntu 14.04 LTS, Installation is done through repository on both master and agent. 

One more observation, when i restart ossec service all the services comes up without an issue but ossec-remoted doesn't start. I have to run "./ossec-remoted" command from /bin directory every time i do service restart. 

On Wed, Feb 3, 2016 at 12:28 AM, Santiago Bassett <santiago...@gmail.com> wrote:

Hi Sandeep,

those issues are probably not related to each other. Removing the client.keys file, and the files in queue/rids, queue/agent-info queue/syscheck and queue/rootcheck should be enough.

Any error message in your agent or manager log files?

On Mon, Feb 1, 2016 at 7:19 AM, sandeep <sandeep...@gmail.com> wrote:

Hi, 

what should be the approach to delete all agent and respected entries to start from scratch ?

I have a ossec server and 50+ agents which was in 'inactive' state. I decided to upgrade the server and client version (start as fresh). I moved client.keys and all files from rids directory and added one new client manually, But it fails to communicate to server. 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Regards,

Sandeep

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Regards,

Sandeep