[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Error: unable to send message to server

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Error: unable to send message to server
From: "List Subscriptions" <lists.canuck.eh@xxxxxxxxx>
Date: Tue, 1 May 2007 15:59:17 -0400
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UnUQXXfsWhZLWIoCrq785MkjsobBUwDYYTqn/l0O7VCzuUxD6kVCEGigHZ0768u1/uvRzx5dZewoNYF6Je6TgkW/l/E5tUbjfLljgJO19needRaqQy4Mbb+TnLlz8UpTcwQasG9SyP0oY6T25jSFZ/HAGdBM8zqOPhXkT2NhTwo=


Daniel,

After several days this issue still exists.  I have been monitoring
the interface statistics and I'm not even close to saturating the
link.   Any ideas?

On 4/27/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx> wrote:

The problematic agents have been running for around 24hrs now and I
still get those two messages in log files.  I am however still getting
alerts which means that eventually the server and agent are able to
communicate.  I'm hoping to deploy agents to 10 more web servers but
would like to eliminate this issue first.  What else could I tweak?
Should I increase the syscheck interval?

Thanks,
Dale

On 4/25/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
>
> Hi,
>
> This means that your network or server is currently busy. Note that when you
> first start the agent it forwards all the integrity checking data (both files
> and registry) to the server. If you started all very closed together, you will
> be getting much more than 20,000 events per hour*...
>
> *On average, for Windows, you have 35,000 entries for the syscheck data
> (including files and registry). So it means 35,000 additional events per agent.
>
> # wc -l /var/ossec/queue/syscheck/*win*
>    10061 (win64-1) 192.168.2.0->syscheck
>    24491 (win64-1) 192.168.2.0->syscheck-registry
>
>
> You may also want to check your network (not the server itself), to see if you
> don't have any connectivity issues (I have servers monitoring a  much
> larger number of agents and never had these errors).
>
> Btw, does the problem still persists or it is gone?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 4/25/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx> wrote:
> >
> > I'm running OSSEC HIDS v1.1 and trying to deploy to all of my Windows
> > 2003 web servers.  The first 4 went just fine but with the 5th and 6th
> > I keep seeing the following errors in ossec.log:
> >
> > 2007/04/25 11:18:34 ossec-agent: Connecting to server (xxx.xxx.xxx.xxx:1514).
> > 2007/04/25 11:18:34 ossec-agent: Starting syscheckd thread.
> > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > 'HKEY_LOCAL_MACHINE\Software\Classes'.
> > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
> > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > 'HKEY_LOCAL_MACHINE\Software\Policies'.
> > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
> > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
> > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > 'HKEY_LOCAL_MACHINE\Security'.
> > 2007/04/25 11:18:34 ossec-agent: Monitoring directory: 'C:\WINDOWS'.
> > 2007/04/25 11:18:35 ossec-agent(4102): Connected to the server.
> > 2007/04/25 11:18:35 ossec-agent(1951): Analyzing event log: 'Application'.
> > 2007/04/25 11:18:44 ossec-agent(1951): Analyzing event log: 'Security'.
> > 2007/04/25 11:19:44 ossec-agent(1951): Analyzing event log: 'System'.
> > 2007/04/25 11:19:53 ossec-agent(1952): Monitoring variable log file:
> > 'C:\WINDOWS\system32\LogFiles\MSFTPSVC1\ex070425.log'.
> > 2007/04/25 11:19:53 ossec-agent(1950): Analyzing file:
> > 'C:\WINDOWS\system32\LogFiles\MSFTPSVC1\ex070425.log'.
> > 2007/04/25 11:19:53 ossec-agent(1952): Monitoring variable log file:
> > 'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > 2007/04/25 11:19:53 ossec-agent(1103): Unable to open file
> > 'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > 2007/04/25 11:19:53 ossec-agent(1950): Analyzing file:
> > 'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > 2007/04/25 11:19:54 ossec-agent: Started (pid: 1012).
> > 2007/04/25 11:20:00 ossec-agent(1218): Unable to send message to server.
> > .
> > .
> > .
> > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to server.
> > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to server.
> > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to server.
> > 2007/04/25 11:27:01 Remote socket busy, waiting 0 s.
> > 2007/04/25 11:27:02 Remote socket busy, waiting 0 s.
> > 2007/04/25 11:27:45 Remote socket busy, waiting 0 s.
> > 2007/04/25 11:28:52 Remote socket busy, waiting 0 s.
> > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to server.
> > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to server.
> > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to server.
> >
> > According to the web stats I'm processing around 20,000 events per
> > hour which is far less then the performance limit talked about in the
> > OSSEC blog.  Any ideas?
> >
>

Follow-Ups:
- [ossec-list] Re: Error: unable to send message to server
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Windows syscheck frequency
Next by Date: [ossec-list] Re: Windows syscheck frequency
Previous by thread: [ossec-list] Re: Windows syscheck frequency
Next by thread: [ossec-list] Re: Error: unable to send message to server
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.