• Support
  • Forums
  • Blogs

USM hids agent not working porperly how can I rectified?

rameshkumarrameshkumar

Spaceship Training
+11
currently, I am working in the USM. I deployed the agents in the client system (Linux). But in the USM console, the agents are not connected shown. Then I went through the  USM OSSEC configuration file in the console but I can't find the OSSEC configuration file. I tried all possible way to rectify but still did not work. what should I do?
rameshkumarinbox

Share post:

Answers

  • even windows also have shown the same "Not Connected"
  • rameshkumar,

    The first suggestion is to open a support case so that we can assist. If you open a remote support connection, we can connect to confirm that the OSSEC service is running and we are seeing traffic from the agents in question.

    To continue troubleshooting, please check the following items:

    - There should not be two interfaces configured with an address in the same subnet. This recommendation is universal, not just to OSSIM, but to ANY system not specifically configured for UDP state translation (if you haven't spent weeks banging you head against the wall to get this to work, then feel safe to assume it is not enabled).

    This can cause UDP return path errors as the response to traffic on a non-routing interface will come from the default gateway, even for local subnet traffic. As an added trick, route or metric poisoning or other metric issues can cause the system to suddenly switch which interface is the default response interface without warning.

    - check the ossec service on the Server/Remote Sensor to make sure it is running:

    You can run "ps -A | grep ossec", and should expect to see the following output --
    32553 ?        00:00:00 ossec-agentless
    32563 ?        00:00:05 ossec-analysisd
    32567 ?        00:00:01 ossec-logcollec
    32578 ?        00:00:41 ossec-syscheckd
    32582 ?        00:00:00 ossec-monitord
    32586 ?        00:00:00 ossec-remoted
    Please note that agentless only runs if you have configured agentless checks. the most common server issue is remoted not starting, or showing as 1 day or more older than all processes (indicating it didn't hup). This will be a service issue, most likely related to the config files.

    - Check the CLI to make sure it isn't just the UI not updating quickly enough.

    The command "/var/ossec/bin/agent_control -l" should return a live result.

    OSSEC HIDS agent_control. List of available agents:
       ID: 000, Name: usm1 (server), IP: 127.0.0.1, Active/Local
       ID: 001, Name: win2k8, IP: 10.1.3.54, Never connected


    - Time to hit the docs and troubleshoot the agents!

  • but i am not able to find OSSEC config file in the USM console
Sign In or Register to comment.