If you encounter this (dreaded) error, there are a few things to try about it (it's probably caused by a network timeout or misconfiguration).


You'll probably see a "(Agent) disconnected" message in your web GUI - and if you look into your ossec.log on your client (by default in /var/ossec/logs), you'll see a number of the error (4101).

The whole message should look like this:  "ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried:" (with the server IP following).



On your OSSIM (AlienVault USM) server, try the following procedure(s) to determine whether an agent is connecting (at all):


  1. go to /var/ossec/bin and issue: ./agent_control -lc - this one should present you with a list of active agents (alternatively ./list_agents -c can be used for the same purpose)
  2. should you find that the agent is not connecting, according to my experience it must be a networking (routing or similar) error - make sure your network is properly configured (first), i.e. continue troubleshooting in that direction
  3. altenatively, try using DHCP to connect your agent to the server.


If / when you're done with the networking part and the error persists, try this procedure:

  1. on both your OSSEC client and server go to /var/ossec/queue/rids and check if there're any files - there should be 2: one named <ClientNO> (e.g. 2) and the other one named sender_counter
  2. stop your OSSIM server by issuing service ossec stop
  3. on your client do the same as under 2.) above and remove all files under the /rids directory (by using e.g. rm -rf *)
  4. on your server remove (only) the file named <ClientNO> (e.g. 2)
  5. (re)start your agent by issuing service ossec start
  6. after your agent has started, do the same as under 4.) above on your server


This should be it - you should now (again) have client(s) connecting to your server.