[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Irregular Agent Activity in OSSEC agents
From: eyal gershon <gershon.43 () gmail ! com>
Date: 2016-07-20 22:03:03
Message-ID: fa3a5f78-d7c8-4764-b93e-87a5007f7021 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hey Eero,
From examining the server -
Both disk speed and network should not be a problem,
but I did notice a shortage of Available RAM (around 300 MB left).
Ill make the changes tomorrow and add more RAM and update if it was the
case.
On Wednesday, July 20, 2016 at 10:47:41 PM UTC+3, Eero Volotinen wrote:
>
> Are you running out of network or disk speed?
>
> Eero
>
> 20.7.2016 10.39 ip. "eyal gershon" <gersh...@gmail.com <javascript:>>
> kirjoitti:
>
> > Hey Jose,
> >
> > There was no update or upgrade done.
> > I performed the procedure you mentioned before but the results stayed the
> > same.
> >
> > I have around 1600 servers and 400 who do not connect.
> >
> > Do you have any other idea on why this happens?
> > Or any thing else I can test?
> >
> >
> > On Wed, Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz <jo...@wazuh.com
> > <javascript:>> wrote:
> >
> > > Hi Eyal,
> > >
> > >
> > >
> > > this is a familiar problem that we have come across in the past as well. The \
> > > counter of the rids file can run out of sync, if the manager and the respective \
> > > agent have troubles exchanging control messages.
> > > Have you perhaps reinstalled the manager or one of the agents recently?
> > >
> > >
> > >
> > > You can fix your problem by following the below steps:
> > >
> > >
> > >
> > > 1. On every agent:
> > >
> > >
> > >
> > > 1. stop ossec
> > >
> > > 2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and remove \
> > > every file in there.
> > >
> > >
> > > 2. Go to the server:
> > >
> > >
> > >
> > > 1. Stop ossec
> > >
> > > 2. Remove the rids file with the same name as the agent id that is reporting \
> > > errors.
> > >
> > >
> > > 3. Restart the server
> > >
> > > 4. Restart the agents.
> > >
> > >
> > >
> > > If you have reinstalled one of your machines recently, then we recommend that \
> > > you use the update option. Do not remove and reinstall the ossec server, unless \
> > > you plan to do the same for all agents.
> > > Just a heads up, please refrain from using the same agent key between multiple \
> > > agents, or the same agent key after you removed/re-installed an agent….
> > >
> > > Reference:
> > > http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors
> > >
> > >
> > > Regards
> > > -----------------------
> > > Jose Luis Ruiz
> > > Wazuh Inc.
> > > jo...@wazuh.com <javascript:>
> > >
> > > On July 20, 2016 at 11:54:41 AM, eyal gershon (gersh...@gmail.com
> > > <javascript:>) wrote:
> > >
> > > Hey Everyone,
> > >
> > > I am noticing some irregular activity in some of my OSSEC agents -
> > >
> > > *A little bit about the system - *
> > >
> > > My Deployment is on 2000~ servers managed from dedicated ossec manager.
> > > I currently have 1600~ agents connected on a full basis and 400~ servers
> > > who connect and disconnect all the time.
> > >
> > > All the ports are opened (confirmation with NC and telnet)
> > >
> > > On my management server I see the following error in the logs -
> > >
> > > 2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated counter for
> > > '**************'.
> > > 2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error: global:
> > >
> > >
> > > I checked the /var/ossec/queue/rids and made sure there is only a single
> > > entry in there and that entry is the same on both host and Management.
> > > I made a double check and also compared client.keys on both servers,Same
> > > Key and same Entry on both servers.
> > >
> > >
> > > I did a key exchange manually between both servers just to make sure
> > > Nothing was wrong in that section.
> > > Same error.
> > >
> > >
> > > Does anyone have an idea on how to continue?
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an email to ossec-list+...@googlegroups.com <javascript:>.
> > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
> >
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Hey Eero,<div><br></div><div>From examining the server - \
</div><div>Both disk speed and network should not be a problem,</div><div>but I did \
notice a shortage of Available RAM (around 300 MB left).</div><div>Ill make the \
changes tomorrow and add more RAM and update if it was the case.</div><div><br>On \
Wednesday, July 20, 2016 at 10:47:41 PM UTC+3, Eero Volotinen wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;"><p dir="ltr">Are you running out of network or disk \
speed?</p> <p dir="ltr">Eero</p>
<div><br><div class="gmail_quote">20.7.2016 10.39 ip. "eyal gershon" <<a \
href="javascript:" target="_blank" gdf-obfuscated-mailto="L2rGO5x3AgAJ" \
rel="nofollow" onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">gersh...@gmail.com</a>> \
kirjoitti:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hey \
Jose,<div><br></div><div>There was no update or upgrade done.</div><div>I performed \
the procedure you mentioned before but the results stayed the \
same.</div><div><br></div><div>I have around 1600 servers and 400 who do not \
connect.</div><div><br></div><div>Do you have any other idea on why this \
happens?</div><div>Or any thing else I can \
test?</div><div><div><br></div></div></div><div><br><div class="gmail_quote">On Wed, \
Jul 20, 2016 at 6:03 PM, Jose Luis Ruiz <span dir="ltr"><<a href="javascript:" \
target="_blank" gdf-obfuscated-mailto="L2rGO5x3AgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">jo...@wazuh.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div \
style="font-family:Helvetica,Arial;font-size:13px;margin:0px"><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;padding-top:0.5rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px">Hi Eyal,</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"></pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px">this is a familiar problem that we have come across in the past as well. The \
counter of the rids file can run out of sync, if the manager and the respective agent \
have troubles exchanging control messages.</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px">Have you perhaps reinstalled the manager or one of the agents \
recently?</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"></pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px">You can fix your problem by following the below steps:</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"></pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"> 1. On every agent:</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"></pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"> 1. stop ossec</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"> 2. go to: .../ossec/queue/rids (or ossec-agent/rids on Windows) and \
remove every file in there.</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"></pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"> 2. Go to the server:</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"></pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"> 1. Stop ossec</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"> 2. Remove the rids file with the same name as the agent id that is \
reporting errors.</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"></pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"> 3. Restart the server</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"> 4. Restart the agents.</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px"></pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px">If you have reinstalled one of your machines recently, then we recommend that \
you use the update option. Do not remove and reinstall the ossec server, unless you \
plan to do the same for all agents.</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;padding-bottom:0.6rem;font-family:monospace;font-size:12.800000190734863px"><pre \
style="padding:0px;font-size:inherit;color:rgb(61,60,64);border-top-left-radius:0px;bo \
rder-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px \
;display:inline-block;margin-top:0px;margin-bottom:0px;line-height:inherit;word-break:normal;word-wrap:break-word;white-space:pre-wrap;border:0px \
solid rgba(0,0,0,0.14902);overflow:visible;max-width:100%;min-height:0.8rem;font-family:inherit!important;background-position:0px \
0px">Just a heads up, please refrain from using the same agent key between multiple \
agents, or the same agent key after you removed/re-installed an \
agent….</pre></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;padding-bottom:0.6rem;font-family:monospace;font-size:12.800000190734863px"></div><div \
style="color:rgb(85,84,89);margin-left:2.5rem;padding-right:0.625rem;padding-bottom:0.6rem;font-family:monospace;font-size:12.800000190734863px"><br></div><div \
style="margin-left:2.5rem;padding-right:0.625rem;padding-bottom:0.6rem;font-family:monospace;font-size:12.800000190734863px"><font \
color="#3d3c40"><span style="white-space:pre-wrap">Reference: </span></font><span \
style="font-family:Helvetica,Arial;font-size:13px"><a \
href="http://ossec-docs.readthedocs.io/en/latest/faq/unexpected.html#fixing-duplicate-errors" \
target="_blank" rel="nofollow" \
onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fossec-docs.rea \
dthedocs.io%2Fen%2Flatest%2Ffaq%2Funexpected.html%23fixing-duplicate-errors\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE3R17oEYNjZF70nmtJ1ekZ08vMqg';return \
true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fossec-docs. \
readthedocs.io%2Fen%2Flatest%2Ffaq%2Funexpected.html%23fixing-duplicate-errors\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNE3R17oEYNjZF70nmtJ1ekZ08vMqg';return \
true;">http://ossec-docs.readthedocs.<wbr>io/en/latest/faq/unexpected.<wbr>html#fixing-duplicate-errors</a></span></div><br></div> \
<br> <div><div style="font-family:'helvetica \
Neue',helvetica;font-size:14px;word-wrap:break-word">Regards</div><div \
style="font-family:'helvetica \
Neue',helvetica;font-size:14px;word-wrap:break-word">-----------------------</div><div \
style="font-family:'helvetica \
Neue',helvetica;font-size:14px;word-wrap:break-word">Jose Luis Ruiz<br>Wazuh \
Inc.<br><a href="javascript:" target="_blank" gdf-obfuscated-mailto="L2rGO5x3AgAJ" \
rel="nofollow" onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">jo...@wazuh.com</a></div></div> <br><p>On July 20, 2016 at 11:54:41 AM, eyal \
gershon (<a href="javascript:" target="_blank" gdf-obfuscated-mailto="L2rGO5x3AgAJ" \
rel="nofollow" onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return true;">gersh...@gmail.com</a>) \
wrote:</p> <blockquote type="cite"><span><div><div></div><div>
<div dir="ltr">Hey Everyone,
<div><br></div>
<div>I am noticing some irregular activity in some of my OSSEC
agents - </div>
<div><br></div>
<div><b><u>A little bit about the system - </u></b></div>
<div><b><u><br></u></b></div>
<div>My Deployment is on 2000~ servers managed from dedicated ossec
manager.</div>
<div>I currently have 1600~ agents connected on a full basis and
400~ servers who connect and disconnect all the time.</div>
<div><br></div>
<div>All the ports are opened (confirmation with NC and
telnet)</div>
<div><br></div>
<div>On my management server I see the following error in the logs
- </div>
<div><br></div>
<div>
<div>2016/07/20 05:33:49 ossec-remoted(1407): ERROR: Duplicated
counter for '**************'.</div>
<div>2016/07/20 05:33:55 ossec-remoted: WARN: Duplicate error:
global: </div>
</div>
<div><br></div>
<div><br></div>
<div>I checked the /var/ossec/queue/rids and made sure there is
only a single entry in there and that entry is the same on both
host and Management.</div>
<div>I made a double check and also compared client.keys on both
servers,Same Key and same Entry on both servers.</div>
<div><br></div>
<div><br></div>
<div>I did a key exchange manually between both servers just to
make sure Nothing was wrong in that section.</div>
<div>Same error.</div>
<div><br></div>
<div><br></div>
<div>Does anyone have an idea on how to continue?<span><font \
color="#888888"><br></font></span></div><span><font color="#888888"> \
</font></span></div><span><font color="#888888">
--<br>
<br>
---<br>
You received this message because you are subscribed to the Google
Groups "ossec-list" group.<br>
To unsubscribe from this group and stop receiving emails from it,
send an email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="L2rGO5x3AgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec-list+...@<wbr>googlegroups.com</a>.<br>
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" \
rel="nofollow" onmousedown="this.href='https://groups.google.com/d/optout';return \
true;" onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>.<br>
</font></span></div></div></span></blockquote></div>
</blockquote></div><br></div>
<p></p>
-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="L2rGO5x3AgAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec-list+...@<wbr>googlegroups.com</a>.<br> For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>.<br> </blockquote></div></div>
</blockquote></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic