Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

Alexandre LAQUERRE

unread,

Apr 5, 2016, 9:21:18 AM4/5/16

to ossec...@googlegroups.com

Hi,

I have been using Ossec for quite a while and we decided to upgrade the version (2.7.1) to 2.8.3 and that was relatively successful except for the fact that it pulled a number on my Ossec.conf by creating indent problems and adding open brackets in the wrong area but anyway it works. My issue is that for the moment our client will not update the OSSEC agents and wish to keep the 2.7.1 , I have not seen any documentation that would indicate a compatibility issue however I noticed that no matter what I do , the agents will end up disconnecting. They will start out all active and then after 20 minutes or so they will all be disconnected except for a small minority.

When I performed the install I have set the maximum number of agents to 4096 because the client has about … I would say close to 3000 agents, furthermore the installation did go well however I suspect that the agent.conf file in the shared folder got messed up due to this update being very significant. I have been working on this issue for at least three days and I am no longer certain where to look.

I would like to specify that I have already tried to erase the RIDS while Ossec Is stop (server) and when I start it back up again the same issue occurs. Now I am hoping the solution will not be to erase the rids from the client as it would be a long process for our customer.

Thank you,

Alexandre Laquerre

Analyste Sécurité

----------------------------------------------------------------------------------------
LINKBYNET

Performance | Innovation | Qualité

----------------------------------------------------------------------------------------

Suivez-nous sur les médias sociaux !

- - -
1255 Place Phillips, Suite 700, Montréal, QC H3B 3G1
Standard : +1 800 258 0820

Pôle Sécurité : +1 514 667 0554

Web : www.linkbynet.com

cid:image019.jpg@01CF0ADF.D085FB20

Avant d'imprimer cet e-mail, pensez à l'environnement.

LINKBYNET, 1^er hébergeur des environnements en haute disponibilité – Source 01net|IPLabel

Message has been deleted

dan (ddp)

unread,

Apr 5, 2016, 4:00:43 PM4/5/16

to ossec...@googlegroups.com

On Apr 5, 2016 12:03 PM, "Alexandre Laquerre" <laquerre....@gmail.com> wrote:
>
> Hi ,
> I have created a gmail account which may make it easier anyway. So i noticed that when i updated the server 2.8.3 everything seem to be good however now the agents are almost all disconnected then 20 minutes later they are all basically 50 /50.
>
> I am getting a lot of duplicates issues or invalid ID. When considering that we have around 2-3k agents what would be the best solution ?
>

Try upgrading an agent thatcurrently has issues to 2.8.3 to see if the issues continue. Using mismatched versions isn't really supported.

> Thank you,

>
>
> On Tuesday, April 5, 2016 at 9:21:18 AM UTC-4, Alexandre LAQUERRE wrote:
>>
>> Hi,
>>
>>
>>
>> I have been using Ossec for quite a while and we decided to upgrade the version (2.7.1) to 2.8.3 and that was relatively successful except for the fact that it pulled a number on my Ossec.conf by creating indent problems and adding open brackets in the wrong area but anyway it works. My issue is that for the moment our client will not update the OSSEC agents and wish to keep the 2.7.1 , I have not seen any documentation that would indicate a compatibility issue however I noticed that no matter what I do , the agents will end up disconnecting. They will start out all active and then after 20 minutes or so they will all be disconnected except for a small minority.
>>
>>
>>
>> When I performed the install I have set the maximum number of agents to 4096 because the client has about … I would say close to 3000 agents, furthermore the installation did go well however I suspect that the agent.conf file in the shared folder got messed up due to this update being very significant. I have been working on this issue for at least three days and I am no longer certain where to look.
>>
>>
>>
>> I would like to specify that I have already tried to erase the RIDS while Ossec Is stop (server) and when I start it back up again the same issue occurs. Now I am hoping the solution will not be to erase the rids from the client as it would be a long process for our customer.
>>
>>
>>
>> Thank you,
>>
>>
>>
>> Alexandre Laquerre
>>
>> Analyste Sécurité
>>
>>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Santiago Bassett

unread,

Apr 9, 2016, 11:12:32 PM4/9/16

to ossec...@googlegroups.com

do you have errors in your manager /var/ossec/logs/ossec.log?

In case it helps try disabling rids both on the manager and agents (it is important to do it in both places). Those probably got messed up during the upgrade. That can be done modifying internal_options.conf

remoted.verify_msg_id=0

I hope it helps,

Santiago.

Kat

unread,

Apr 12, 2016, 9:51:33 AM4/12/16

to ossec-list, a.laq...@linkbynet.com

I have seen this as well, and what I found seemed to be related to encryption being used on 2.8.3 vs the 2.7 packages. As Santi suggested, also removing the rids for the agents allows it to connect. I would, however, strongly suggest keeping them within the same release, and it avoids many of the problems observed.

Kat

Alexandre LAQUERRE

unread,

Apr 12, 2016, 9:53:20 AM4/12/16

to Kat, ossec-list

Thank you very much for the information,

I was able to convince our customer to deploy the new version update in order to limit the downtime and well he is going to install 10 or 20 machines in order to see if it works or not.

----------------------------------------------------------------------------------------
LINKBYNET

Performance | Innovation | Qualité

----------------------------------------------------------------------------------------

Suivez-nous sur les médias sociaux !

- - -

1255 Place Phillips, Suite 700, Montréal, QC H3B 3G1
Standard : +1 800 258 0820

Pôle Sécurité : +1 514 667 0554

Web : www.linkbynet.com

Alexandre Laquerre

unread,

Apr 13, 2016, 8:47:37 AM4/13/16

to ossec-list, uncom...@gmail.com, a.laq...@linkbynet.com

On Tuesday, April 12, 2016 at 9:53:20 AM UTC-4, Alexandre LAQUERRE wrote:

Thank you very much for the information,

I was able to convince our customer to deploy the new version update in order to limit the downtime and well he is going to install 10 or 20 machines in order to see if it works or not.

Thank you,

Alexandre Laquerre

Analyste Sécurité

From: Kat [mailto:uncom...@gmail.com]

Sent: Tuesday, April 12, 2016 9:52 AM
To: ossec-list <ossec...@googlegroups.com>
Cc: Alexandre LAQUERRE <a.laq...@linkbynet.com>
Subject: Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

I have seen this as well, and what I found seemed to be related to encryption being used on 2.8.3 vs the 2.7 packages. As Santi suggested, also removing the rids for the agents allows it to connect. I would, however, strongly suggest keeping them within the same release, and it avoids many of the problems observed.

Kat

On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:

Hi,

I have been using Ossec for quite a while and we decided to upgrade the version (2.7.1) to 2.8.3 and that was relatively successful except for the fact that it pulled a number on my Ossec.conf by creating indent problems and adding open brackets in the wrong area but anyway it works. My issue is that for the moment our client will not update the OSSEC agents and wish to keep the 2.7.1 , I have not seen any documentation that would indicate a compatibility issue however I noticed that no matter what I do , the agents will end up disconnecting. They will start out all active and then after 20 minutes or so they will all be disconnected except for a small minority.

When I performed the install I have set the maximum number of agents to 4096 because the client has about … I would say close to 3000 agents, furthermore the installation did go well however I suspect that the agent.conf file in the shared folder got messed up due to this update being very significant. I have been working on this issue for at least three days and I am no longer certain where to look.

I would like to specify that I have already tried to erase the RIDS while Ossec Is stop (server) and when I start it back up again the same issue occurs. Now I am hoping the solution will not be to erase the rids from the client as it would be a long process for our customer.

Thank you,

Alexandre Laquerre

Analyste Sécurité

Hi so I have installed a few agents with the 2.8.3 and then i noticed a lot of duplicates so i stopped the server and then cleared the RIDS files however i now see this isseu in the server logs :

ERROR: Invalid ID for the source ip:

I have installed so far 10 agents with version 2.8.3 however we have around 1500 agents. The duplicates are still there, is there another way because clearing the RIDS does not see to make any difference . Who decides who gets the RIDS ? is there an option to force the server to have control and thus decide that everyone accepts the RIDS that is given to the agent because it seems as is the agent has power over the server and I am not really understanding this. Any help would really be appreciated as I am stumped presently.

Thank you

Kat

unread,

Apr 13, 2016, 10:40:00 AM4/13/16

to ossec-list, a.laq...@linkbynet.com

You should disable RIDS:

remoted.verify_msg_id=0

The errors should go away. The problem is, RIDS must be removed on both agent and server, that may be causing issues.

Kat

On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:

Alexandre Laquerre

unread,

Apr 13, 2016, 11:16:54 AM4/13/16

to ossec-list, a.laq...@linkbynet.com

Hi Kat, ok and if i am not mistaken i need to perform the same config for all agents right ?

So here is the idea that i feel is perhaps the only solution.

Stop the server, erase the RIDS and then have our customer deploy a script in order to stop all the agents and then install the version 2.8.3 and then finally erase the RIDS files. Once done restart the server and then restart the ossec agents.

Alexandre Laquerre

unread,

Apr 13, 2016, 11:23:28 AM4/13/16

to ossec-list, a.laq...@linkbynet.com

I have added my ossec.conf and agent.conf , Is it possible to have a look to see if there is something that is off ? ( i have removed the IP adress for the agentless section)

Thank you,

Alex

On Wednesday, April 13, 2016 at 10:40:00 AM UTC-4, Kat wrote:

agent.conf

ossec.conf

Alexandre Laquerre

unread,

Apr 19, 2016, 3:13:00 PM4/19/16

to ossec-list, a.laq...@linkbynet.com

So the final result was as follows, the first step i exported the agent list and updated the list ( i basically erased 1000 agents that were no longer used (#***) and then saved it in csv format. Following that i used the script managed_agents -f to reimport the whole agent list with new IDS. It basically took a good hour. Once done i creatied a script that would uninstall + install the Ossec Agent (2.8.3) and then attribute its key to the installation which basically takes 5 seconds and then it is up and running.

So all is now good.

Hopefully this can help anyone that has a similar issue as well.

Cheers,

theresa mic-snare

unread,

Apr 20, 2016, 3:42:13 AM4/20/16

to ossec-list, a.laq...@linkbynet.com

awesome, thanks for sharing your experience with us Alexandre.
I'm sure this could be beneficial to others as well!

Reply all

Reply to author

Forward