Today we continue the saga of things I was supposed to write down but didn’t, for reasons unknown. Suppose you migrated your OSSEC management server, or freshly installed what will be the new manager on a new OS. You import the keys, as described in my previous post, but the connection fails for one or both of these reasons:
ossec-remoted(1403): ERROR: Incorrectly formatted message from '<client_ip>'.
– Pick your own adventure-style error message.ossec-agentd(1407): ERROR: Duplicated counter for '<server_name>'.
– Incorrect serials.
This has happened several times over the course of the last decade, due to client/server version mismatch, drive failures, and what have you. There’s a pretty brute-force way to solve these problems, though:
- stop both server and client;
- on the client, delete everything inside
/var/ossec/queue/rids
; - reimport the key on the client (unsure if this step is really needed);
- start the server;
- test that the client is working, via
ossec-agentd -d -f
. - if the client is working, start the service.
That’s it. There’s nothing that a good ol’ rm -rf *
can’t solve.