In AlienVault USM Appliance, upgrading or moving HIDS agent configuration files and client keys from one USM Appliance appliance to another while the agents are active could result in errors similar to the following.
2007/10/24 11:19:21 ossec-agentd(<pid>): Duplicated counter for '<host name>'.
2007/10/24 11:19:21 ossec-agentd(<pid>): Problem receiving message from www.xxx.yyy.zzz.
This normally happens when you restore the HIDS files from a backup or you reinstall server or agents. This can also be caused by duplicate agent IDs.
If this happens, the RIDS directory on the HIDS agent as well as USM Appliance need to be deleted so that the counters match between server and client.
To fix this issue:
- On every agent:
- Stop the HIDS service (by manage-agent in Windows systems or /etc/init.d/ossec stop in Linux systems)
- Delete the files contained in one of the following paths:
/var/ossec/queue/rids (in Linux based systems)
C:\Program Files\ossec-agent\rids or C:\Program Files(x86)\ossec-agent\rids (In Microsoft systems)
- Service will remain stopped for the moment.
On USM Appliance:
- Stop the Monit service (/etc/init.d/monit stop)
- Stop HIDS (/etc/init.d/ossec stop)
- Remove the RIDS file with the same name as the agent id that is reporting errors in the directory /var/ossec/queue/rids
- Start the HIDS service (/etc/init.d/ossec start)
- Start the Monit service (/etc/init.d/monit start)
- On the agents again:
- Start the service that we left stopped in step 1 (by manage-agent in Windows systems or /etc/init.d/ossec start in Linux systems)
To avoid this problem happening again
Do not re-use the same agent key between multiple agents or the same agent key after you remove/reinstall an agent.