AlienVault OSSEC and Disconnected Clients … Fixing this the easy way!

alienvault-logoFor those who run AlienVault, the built in HIDS is provided by the OSSEC system.  This HIDS works pretty well, but occasionally you might run into a problem where the client becomes “Disconnected.”  Ordinarily, this is not a problem, it just means the device is not on the network.

However, sometimes, you will find in your OSSEC logs the dreaded “Duplicate counter for” message.  Most of the advice on various forums talks about extracting keys, and re-installing the agents.  Not a great fix, if you have more than a few agents that you control.

Here are some quick tips,

  • On the OSSEC/USM server, stopping the OSSEC system and removing all of the files in /var/ossec/queue/rids is ok, if you have Windows clients.  They will rebuild the ID all by themselves.  However, this is taking a hammer when a rock will do.  Just remove the “ID” of the agent. Do NOT restart the OSSEC server!
  • On the client with the OSSEC HIDS installed, remove all of the files in /var/ossec/queue/rids, then perform a /var/ossec/bin/ossec-control restart BUT make sure the OSSEC server is NOT running!
  • After you have fixed up the clients, start the OSSEC Server

Viola!  If you do a /var/ossec/bin/list_agents -c you will see them connect after a few seconds.  You can check the /var/ossec/logs/ossec.log file and the Duplicate error will no longer appear!

Windows 10 Build 10586.. Microsoft and Time Travel!

MS Time TravelFor those who have upgraded to the latest Windows 10 build, there”s a bit of an time travelling going on by MS.  The “old” Command Prompt shows 2016 as the Copyright date, whereas PowerShell and other elements of the system show Copyright 2015.  Looks like someone got ahead of themselves!  Happy Almost New Year!

As a bonus, Cortana appears to finally be working for Canadians!  The “Siri”-like experience is upon us.