[ossec-list] Re: Error: unable to send message to server

On 5/1/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:

Hi,

Can you try upgrading to the following packages:

http://www.ossec.net/files/snapshots/ossec-hids-070501.tar.gz
http://www.ossec.net/files/snapshots/ossec-win32-070430.exe

Even though they are not "official" releases, they are very stable and with
numerous improvements to the internal works of ossec. You can see
from here the ammount that it improved from version 1.1:

http://www.ossec.net/dcid/?p=69

*btw, I tried to reply to you on the irc channel, but you left before
seeing my replies...
**Upgrade first the server, followed by the agents.

Let us know if it fixes the problem...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 5/1/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx> wrote:
>
> Daniel,
>
> After several days this issue still exists.  I have been monitoring
> the interface statistics and I'm not even close to saturating the
> link.   Any ideas?
>
> On 4/27/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx > wrote:
> > The problematic agents have been running for around 24hrs now and I
> > still get those two messages in log files.  I am however still getting
> > alerts which means that eventually the server and agent are able to
> > communicate.  I'm hoping to deploy agents to 10 more web servers but
> > would like to eliminate this issue first.  What else could I tweak?
> > Should I increase the syscheck interval?
> >
> > Thanks,
> > Dale
> >
> > On 4/25/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> > >
> > > Hi,
> > >
> > > This means that your network or server is currently busy. Note that when you
> > > first start the agent it forwards all the integrity checking data (both files
> > > and registry) to the server. If you started all very closed together, you will
> > > be getting much more than 20,000 events per hour*...
> > >
> > > *On average, for Windows, you have 35,000 entries for the syscheck data
> > > (including files and registry). So it means 35,000 additional events per agent.
> > >
> > > # wc -l /var/ossec/queue/syscheck/*win*
> > >    10061 (win64-1) 192.168.2.0->syscheck
> > >    24491 (win64-1) 192.168.2.0->syscheck-registry
> > >
> > >
> > > You may also want to check your network (not the server itself), to see if you
> > > don't have any connectivity issues (I have servers monitoring a  much
> > > larger number of agents and never had these errors).
> > >
> > > Btw, does the problem still persists or it is gone?
> > >
> > > Thanks,
> > >
> > > --
> > > Daniel B. Cid
> > > dcid ( at ) ossec.net
> > >
> > > On 4/25/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx> wrote:
> > > >
> > > > I'm running OSSEC HIDS v1.1 and trying to deploy to all of my Windows
> > > > 2003 web servers.  The first 4 went just fine but with the 5th and 6th
> > > > I keep seeing the following errors in ossec.log:
> > > >
> > > > 2007/04/25 11:18:34 ossec-agent: Connecting to server (xxx.xxx.xxx.xxx:1514).
> > > > 2007/04/25 11:18:34 ossec-agent: Starting syscheckd thread.
> > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > 'HKEY_LOCAL_MACHINE\Software\Classes'.
> > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
> > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > 'HKEY_LOCAL_MACHINE\Software\Policies'.
> > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
> > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
> > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > 'HKEY_LOCAL_MACHINE\Security'.
> > > > 2007/04/25 11:18:34 ossec-agent: Monitoring directory: 'C:\WINDOWS'.
> > > > 2007/04/25 11:18:35 ossec-agent(4102): Connected to the server.
> > > > 2007/04/25 11:18:35 ossec-agent(1951): Analyzing event log: 'Application'.
> > > > 2007/04/25 11:18:44 ossec-agent(1951): Analyzing event log: 'Security'.
> > > > 2007/04/25 11:19:44 ossec-agent(1951): Analyzing event log: 'System'.
> > > > 2007/04/25 11:19:53 ossec-agent(1952): Monitoring variable log file:
> > > > 'C:\WINDOWS\system32\LogFiles\MSFTPSVC1\ex070425.log'.
> > > > 2007/04/25 11:19:53 ossec-agent(1950): Analyzing file:
> > > > 'C:\WINDOWS\system32\LogFiles\MSFTPSVC1\ex070425.log'.
> > > > 2007/04/25 11:19:53 ossec-agent(1952): Monitoring variable log file:
> > > > 'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > > > 2007/04/25 11:19:53 ossec-agent(1103): Unable to open file
> > > > 'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > > > 2007/04/25 11:19:53 ossec-agent(1950): Analyzing file:
> > > > 'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > > > 2007/04/25 11:19:54 ossec-agent: Started (pid: 1012).
> > > > 2007/04/25 11:20:00 ossec-agent(1218): Unable to send message to server.
> > > > .
> > > > .
> > > > .
> > > > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to server.
> > > > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to server.
> > > > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to server.
> > > > 2007/04/25 11:27:01 Remote socket busy, waiting 0 s.
> > > > 2007/04/25 11:27:02 Remote socket busy, waiting 0 s.
> > > > 2007/04/25 11:27:45 Remote socket busy, waiting 0 s.
> > > > 2007/04/25 11:28:52 Remote socket busy, waiting 0 s.
> > > > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to server.
> > > > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to server.
> > > > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to server.
> > > >
> > > > According to the web stats I'm processing around 20,000 events per
> > > > hour which is far less then the performance limit talked about in the
> > > > OSSEC blog.  Any ideas?
> > > >
> > >
> >
>