How to fix Duplicate Counter Error in OSSEC

- by

You may come across a duplicated counter / duplicate error in OSSEC. This can happen when you try to add an agent to the server again which was previously added (say when you had to rebuild the OSSEC Server).

The agent is basically saying “hey I’ve got some data here which doesn’t line up with what I should be getting from the server”.

This problem can be resolved easily – let me show you how.

The Problem

You can check your OSSEC log with

tail -50 /var/ossec/logs/ossec.log

It’s always good practice to check what OSSEC is saying – both on the server and the agent side. Here’s what the error message looks like:

2012/08/28 19:07:07 ossec-agentd: WARN: Duplicate error:  global: 0, local: 489, saved global: 2, saved local:8477
2012/08/28 19:07:07 ossec-agentd(1407): ERROR: Duplicated counter for 'YOUR SERVER NAME'.
2012/08/28 19:07:07 ossec-agentd(1214): WARN: Problem receiving message from 123.123.123.123.

Let’s go and fix this.

The Solution

You can do one of two things here. The easy solution is to just remove the current agent from the server, then adding it again. This will give your agent a new ID and a new key. Import this into the agent and restart both server and agent. Here’s he process step by step:

On the server:

  • execute /var/ossec/bin/manage_agents
  • select “Remove and agent” (R)
  • select your agent (for example 006)
  • back in the main menu, select “Add an agent” (A)
  • give OSSEC the name and IP
  • back on the main menu, select “Extract key for an agent”
  • copy the key you’re given
  • quit and restart OSSEC

On the agent:

  • execute /var/ossec/bin/manage_agents
  • select “Import key from server” (I)
  • paste the key
  • quit and restart OSSEC

Check your log again and *hopefully* your error message should disappear.

The Other Solution

On your agent, check our the following directory:

/var/ossec/queue/rids

Here you’ll find a sub-directory for each ID this agent has once been assigned (something like “006”). You’ll also find a file called sender_counter. Duplicate counter errors can occur when this agent used to have ID 006 and a re-built server assigns it ID 006 again. The above example would just assign our agent a new ID.

You can however just clear out this directory and then re-import the original key which seemingly caused the problem. This is slightly more cumbersome, but here are the steps:

On the server:

  • execute /var/ossec/bin/manage_agents
  • select “Extract key for an agent”
  • copy the key you’re given
  • quit OSSEC

On the agent:

  • head over to /var/ossec/queue/rids
  • execute rm -rf * (careful with this…)
  • execute /var/ossec/bin/manage_agents
  • select “Import key from server” (I)
  • paste the key from the server
  • quit and restart OSSEC

Check the log and see your success. Good luck!



If you enjoy my content, please consider supporting me on Ko-fi. In return you can browse this whole site without any pesky ads! More details here.

3 thoughts on “How to fix Duplicate Counter Error in OSSEC”

  1. A quicker and dirtier solution to this is to simply empty the rids file on the server that corresponds to the client you have rebuilt. So for example if the client ID is 061 then:

    cp /dev/null /var/ossec/queue/rids/061

    restart the ossec server and it will rebuild the file with the correct counters.

Leave a Reply to Jay VersluisCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.