If you encounter this (dreaded) error, there are a few things to try about it (it's probably caused by a network timeout or misconfiguration).
You'll probably see a "(Agent) disconnected" message in your web GUI - and if you look into your ossec.log on your client (by default in /var/ossec/logs), you'll see a number of the error (4101).
The whole message should look like this: "ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried:" (with the server IP following).
On your OSSIM (AlienVault USM) server, try the following procedure(s) to determine whether an agent is connecting (at all):
- go to /var/ossec/bin and issue: ./agent_control -lc - this one should present you with a list of active agents (alternatively ./list_agents -c can be used for the same purpose)
- should you find that the agent is not connecting, according to my experience it must be a networking (routing or similar) error - make sure your network is properly configured (first), i.e. continue troubleshooting in that direction
- altenatively, try using DHCP to connect your agent to the server.
If / when you're done with the networking part and the error persists, try this procedure:
- on both your OSSEC client and server go to /var/ossec/queue/rids and check if there're any files - there should be 2: one named <ClientNO> (e.g. 2) and the other one named sender_counter
- stop your OSSIM server by issuing service ossec stop
- on your client do the same as under 2.) above and remove all files under the /rids directory (by using e.g. rm -rf *)
- on your server remove (only) the file named <ClientNO> (e.g. 2)
- (re)start your agent by issuing service ossec start
- after your agent has started, do the same as under 4.) above on your server
This should be it - you should now (again) have client(s) connecting to your server.