AlienVault OSSEC and Disconnected Clients … Fixing this the easy way!

alienvault-logoFor those who run AlienVault, the built in HIDS is provided by the OSSEC system.  This HIDS works pretty well, but occasionally you might run into a problem where the client becomes “Disconnected.”  Ordinarily, this is not a problem, it just means the device is not on the network.

However, sometimes, you will find in your OSSEC logs the dreaded “Duplicate counter for” message.  Most of the advice on various forums talks about extracting keys, and re-installing the agents.  Not a great fix, if you have more than a few agents that you control.

Here are some quick tips,

  • On the OSSEC/USM server, stopping the OSSEC system and removing all of the files in /var/ossec/queue/rids is ok, if you have Windows clients.  They will rebuild the ID all by themselves.  However, this is taking a hammer when a rock will do.  Just remove the “ID” of the agent. Do NOT restart the OSSEC server!
  • On the client with the OSSEC HIDS installed, remove all of the files in /var/ossec/queue/rids, then perform a /var/ossec/bin/ossec-control restart BUT make sure the OSSEC server is NOT running!
  • After you have fixed up the clients, start the OSSEC Server

Viola!  If you do a /var/ossec/bin/list_agents -c you will see them connect after a few seconds.  You can check the /var/ossec/logs/ossec.log file and the Duplicate error will no longer appear!