ERROR: Incorrectly formated message

[Robert]

Hi,

I already removed and readded one of my agent to to the OSSEC server (following this guide  ), but still got ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.8.43'.

I have no clue why this is not working. I am using 2.8.3 version (server and agent).

As i checked the client information on the server and the client is the same.

Are you have any idea what the hack wrong?

Thanks, Robert

[Robert]

Hi,

This problem drives me crazy.

I already followed the guide, and removed, readded one of my agent, but is still get this error message:

 ossec-remoted(1403): ERROR: Incorrectly formated message from '192.168.8.43'.

As i checked the client information on the server side and client side are the same, everything looks correct.

Do you have any idea what could cause the problem?

Thanks, Robert

[Eero Volotinen]

Key is incorrect ? Try deleting old key and re adding agent?

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jose Luis Ruiz]

Hi Robert, the same agent id? 

Try this, in  ossecpath/etc/internal-options.conf modify remoted.verify_msg_id=1 to 0 in both places, agent and manager

regards

[Robert]

Hi Eero

I already tried that...few times :)

[Robert]

Hi Jose,

Yes, same ID, basically this is a new agent (it uses an old server's IP, but i deleted the old agent and created a new one).

Tried to modify remoted.verify_msg_id=1 to 0 -> restart, but nothing changed :S

Robert

[Pedro S]

Hi,

Try to add the agent with "any" parameter on IP field (./manage_agents), when "ip" question prompt, write "any", just for testing, maybe the agent IP when reaching OSSEC it is not the IP you are writting.

[Robert]

Hi,

A tried, nothing changed.

But after few hours the client started to work...weird.

And now, three other clients stpped to work, they are on "Disconnected" state.

It is strange becouse the agent's log says: ossec-agentd(4102): INFO: Connected to the server (192.168.7.212:1514)

No error message, and also no error message on the server side.

tcpdump shows correct communication between the agent and the server....

I am getting fed up with this :)

Any thoughts? 

Robert

[dan (ddp)]

On Thu, Feb 25, 2016 at 7:06 AM, Robert <sandb...@gmail.com> wrote:
> Hi,
>
> A tried, nothing changed.
> But after few hours the client started to work...weird.
> And now, three other clients stpped to work, they are on "Disconnected"
> state.
> It is strange becouse the agent's log says: ossec-agentd(4102): INFO:
> Connected to the server (192.168.7.212:1514)
> No error message, and also no error message on the server side.
> tcpdump shows correct communication between the agent and the server....
> I am getting fed up with this :)
>
> Any thoughts?
>

Turn on debugging on the server (`/var/ossec/bin/ossec-control enable
debug && /var/ossec/bin/ossec-control restart`).
Check ossec.log for better logs.

Verify there are no duplicate agent IDs in client.keys.
Verify there are no duplicate IP addresses in client.keys.

> Robert
>
>
> 2016. február 3., szerda 20:57:59 UTC+1 időpontban Pedro S a következőt
> írta:
>>
>> Hi,
>>
>> Try to add the agent with "any" parameter on IP field (./manage_agents),
>> when "ip" question prompt, write "any", just for testing, maybe the agent IP
>> when reaching OSSEC it is not the IP you are writting.
>>
>>

[Robert]

OK, this is insane, while the logs says client is connected more and more client shows as "Incative".

As you suggested i turned on debug, and could not see any duplicated client. 

Robert

[Robert]

OK, after I got fed up I refreshed the VmWare agent and restarted the server => everything smooth atm.

Unfortunately, i have no idea which action solved the problem.

Robert