• Support
  • Forums
  • Blogs

All HIDS agents disconnected

DoronSaharDoronSahar

New Life Form
Hi,
I see today that all HIDS agents are disconnected. I tried to uninstall and install but still same thing (installation is succesful)
When I open the agent I can't start it it gives me an error"Unable to start agent (check config)
When trying to restart agent from ossim I get "[ossec_get_available_agents] Error: Unable to connect to remoted."
Does someone have any idea what went wrong and hoe to fix this?

Share post:

Answers

  • Hi there,

    This happened to me as well, validate all OSSEC processes are running fine with "ps" (google can give you a list of them).
    Try to restart the services associated with OSSEC </etc/init.d/ossec restart> ....
    In my case, ossec-remoted was stuck and was not restarting. So... "kill -9 ossec-remoted" and then:
    "etc/init.d/ossec stop " => "/etc/init.d/ossec start" wait a few minutes and check "/var/ossec/bin/list_agents -
  • Ho, also check the logs /var/ossec/logs/ossec.log
  • Hello @doronsahar,

    (( from https://www.alienvault.com/forums/discussion/comment/24789/#Comment_24789 )) 

       With the latest OSSEC development, the OSSEC team has pushed out an IPv6 configuration; this configuration was included with our 5.5 release. Our Engineering team is aware of the modification and will have this corrected with the next firmware release. However, in the meantime, you can apply a workaround :: 

    # mv /etc/sysctl.d /etc/sysctl.d_bak

    # /etc/init.d/ossec stop ; /etc/init.d/ossec start ; alienvault-reconfig 


       You can then check the status of #ossec-remoted  ::

    # ps afux | grep ossec-remoted

       or 

    # netstat -tulpen | grep 1514


        If you still do not see #OSSEC-remoted is failing to start, ((and you have successfully moved the sysctl.d file)), please try a #reboot of your Appliance. 


       Regards,

    - kratos
Sign In or Register to comment.