• Support
  • Forums
  • Blogs

remoted(1213): WARN: Message from 1.2.3.4 not allowed.

KotreshaKotresha

New Life Form
+3
HI There:)

Im new to Alienvault, we have installed HIDS agent successfully long back and they worked fine until a week back, now we are observing that HIDS status is showing not deployed for few systems only, can anybody suggest what caused this issue and how we can resolve it?
we found the HIDS logs that remoted(1213): WARN: Message from 1.2.3.4  not allowed.

For another assets we are receiving below error

RROR: Duplicated counter
for 'ASSET name'.


2017/01/16 05:45:35 remoted: WARN: Duplicate
error: global: 9, local: 2642, saved global: 18, saved local:1204


Thanks in advance...


Tagged:

Share post:

Best Answer

  • You can go into the asset and remove the HIDS agent, and then redeploy it, I believe to resolve this.  To delete go under Environment > Detection > HIDS > Agents; find the system you are getting the error with and hit the trash can icon on the right of it.

Answers

  • Kotresha,

    This means that there are either two assets with the same counter installed, or that you have created this agent a second time, and the wrong agent key from the one used by the agent is being selected by the server.
  • @kcoe Could you please let me know how we can resolve the issue?

    for this we found the HIDS logs that remoted(1213): WARN: Message from 1.2.3.4  not allowed.

    and for this seperatly

    ERROR: Duplicated counter
    for 'ASSET name'.
  • edited July 2017
    Experiencing this issue right now and have not yet figured it out. I did try recreating the agent and key but the agents remain in "disconnected" status.

    Another thing I tried was checking for firewall NATting since the error messages in the HIDS log in admin console showed:

    2017/07/14 16:33:42 remoted(1213): WARN: Message from [FIREWALL-IP] not allowed.
    2017/07/14 16:33:48 remoted(1213): WARN: Message from [FIREWALL-IP] not allowed.
    2017/07/14 16:33:52 remoted(1213): WARN: Message from [FIREWALL-IP] not allowed.

    Same Firewall IP address that i was getting from other sources that were not being parsed properly due to Firewall removing the original source IP from it. I have now fixed this NATTING problem, but these error messages continue to show and 2 of my Agents do not connect. (this firewall is between our data centers, and our USMs erver is in a different site than the HIDS agent sending logs)
Sign In or Register to comment.