Remove and re-register an Agent in OSSEC server

[vtrack]

Hi,

One of the OSSEC agent system registered to Server is shown as Never connected when i run syscheck info from OSSEC server. I tried re-installing OSSEC agent by removing agent from OSSEC server, deleted /var/ossec directory from agent system. And then tried installing a fresh copy, added agent and registered with server. However the status is still shown "never connected". I think there is some DB in the OSSEC server that needs to be cleaned up. What is the procedure to get agent configs removed completely from the Server?

ossec-server]# /var/ossec/bin/agent_control -i 005

OSSEC HIDS agent_control. Agent information:

   Agent ID:   007

   Agent Name: agent100

   IP address: 192.168.0.10

   Status:     Never connected

   Operating system:    Unknown

   Client version:      Unknown

   Last keep alive:     Unknown

Thanks!

[Hieu Vu]

Hi,
To remove agent run this: /var/ossec/bin/manage_agents on Ossec server --> Press R to remove agent. After select Agent ID to remove.
Ensure that agent was removed run this: /var/ossec/bin/agent_control -l  (List all agents)
Good luck!

[vtrack]

I have tried removing agent as you mentioned (manage-agents and Press R), however after I add the agent again, agent-control -l does not list this agent. When I run agent-control -i <ID>, the status shows as Never Connected. Which log file can I check to root cause this?

I had this agent added successfully first time. But later have to remove and add it again with a different name and ID. 

Even a fresh re-install of OSSEC agent on the client did not help. I am assuming some data needs to be cleaned up in the OSSEC server. Do you know what could be there causing this failure?

[David Blanton]

Go to the client.keys file and delete the the information on the agent. If you use manage_agents to delete it, it doesn't actually get deleted, there is just a # to comment out the information.

[dan (ddp)]

On Mon, Aug 19, 2013 at 1:17 AM, vtrack <tijo.t...@gmail.com> wrote:
> I have tried removing agent as you mentioned (manage-agents and Press R),
> however after I add the agent again, agent-control -l does not list this
> agent. When I run agent-control -i <ID>, the status shows as Never
> Connected. Which log file can I check to root cause this?
>

Start with the ossec.log on the server.
Also use tcpdump or snoop to make sure the packets are making it to
the server from the agent (using the IP configured in manage_agents),
and that responses are sent.
Make sure there are no duplicated IPs in client.keys on the server.

> I had this agent added successfully first time. But later have to remove and
> add it again with a different name and ID.
>
> Even a fresh re-install of OSSEC agent on the client did not help. I am
> assuming some data needs to be cleaned up in the OSSEC server. Do you know
> what could be there causing this failure?
>
>
> On Monday, August 19, 2013 6:44:22 AM UTC+5:30, Hieu Vu wrote:
>>
>> Hi,
>> To remove agent run this: /var/ossec/bin/manage_agents on Ossec server -->
>> Press R to remove agent. After select Agent ID to remove.
>> Ensure that agent was removed run this: /var/ossec/bin/agent_control -l
>> (List all agents)
>> Good luck!
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.