[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Error: unable to send message to server


I asked the same question off list and this was Daniel's response:

You don't need to remove anything ... In the server, just run the
install.sh and it will
ask if you want to upgrade (choose yes). It will keep all your config.
On the agent,
just run the .exe binary and it will also keep your config....

*upgrade should be very easy to do :)

On 5/2/07, Rob <jnrelliott@xxxxxxxxx> wrote:

Wow, great work Daniel.  Truly awesome work.  I do have a question,  I've
already installed 1.1 and look to upgrade.  I couldn't find an upgrade doc
anywhere.  Do I just run the installer again for the server and agents?


On 5/1/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
>
> Hi,
>
> Can you try upgrading to the following packages:
>
>
http://www.ossec.net/files/snapshots/ossec-hids-070501.tar.gz
>
http://www.ossec.net/files/snapshots/ossec-win32-070430.exe
>
> Even though they are not "official" releases, they are very stable and
with
> numerous improvements to the internal works of ossec. You can see
> from here the ammount that it improved from version 1.1:
>
> http://www.ossec.net/dcid/?p=69
>
> *btw, I tried to reply to you on the irc channel, but you left before
> seeing my replies...
> **Upgrade first the server, followed by the agents.
>
> Let us know if it fixes the problem...
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 5/1/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx> wrote:
> >
> > Daniel,
> >
> > After several days this issue still exists.  I have been monitoring
> > the interface statistics and I'm not even close to saturating the
> > link.   Any ideas?
> >
> > On 4/27/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx > wrote:
> > > The problematic agents have been running for around 24hrs now and I
> > > still get those two messages in log files.  I am however still getting
> > > alerts which means that eventually the server and agent are able to
> > > communicate.  I'm hoping to deploy agents to 10 more web servers but
> > > would like to eliminate this issue first.  What else could I tweak?
> > > Should I increase the syscheck interval?
> > >
> > > Thanks,
> > > Dale
> > >
> > > On 4/25/07, Daniel Cid <daniel.cid@xxxxxxxxx> wrote:
> > > >
> > > > Hi,
> > > >
> > > > This means that your network or server is currently busy. Note that
when you
> > > > first start the agent it forwards all the integrity checking data
(both files
> > > > and registry) to the server. If you started all very closed
together, you will
> > > > be getting much more than 20,000 events per hour*...
> > > >
> > > > *On average, for Windows, you have 35,000 entries for the syscheck
data
> > > > (including files and registry). So it means 35,000 additional events
per agent.
> > > >
> > > > # wc -l /var/ossec/queue/syscheck/*win*
> > > >    10061 (win64-1) 192.168.2.0->syscheck
> > > >    24491 (win64-1) 192.168.2.0->syscheck-registry
> > > >
> > > >
> > > > You may also want to check your network (not the server itself), to
see if you
> > > > don't have any connectivity issues (I have servers monitoring a
much
> > > > larger number of agents and never had these errors).
> > > >
> > > > Btw, does the problem still persists or it is gone?
> > > >
> > > > Thanks,
> > > >
> > > > --
> > > > Daniel B. Cid
> > > > dcid ( at ) ossec.net
> > > >
> > > > On 4/25/07, List Subscriptions <lists.canuck.eh@xxxxxxxxx> wrote:
> > > > >
> > > > > I'm running OSSEC HIDS v1.1 and trying to deploy to all of my
Windows
> > > > > 2003 web servers.  The first 4 went just fine but with the 5th and
6th
> > > > > I keep seeing the following errors in ossec.log:
> > > > >
> > > > > 2007/04/25 11:18:34 ossec-agent: Connecting to server
(xxx.xxx.xxx.xxx:1514).
> > > > > 2007/04/25 11:18:34 ossec-agent: Starting syscheckd thread.
> > > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > > 'HKEY_LOCAL_MACHINE\Software\Classes'.
> > > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > > 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
> > > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > > 'HKEY_LOCAL_MACHINE\Software\Policies'.
> > > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > >
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
> > > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > >
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
> > > > > 2007/04/25 11:18:34 ossec-agent: Monitoring registry entry:
> > > > > 'HKEY_LOCAL_MACHINE\Security'.
> > > > > 2007/04/25 11:18:34 ossec-agent: Monitoring directory:
'C:\WINDOWS'.
> > > > > 2007/04/25 11:18:35 ossec-agent(4102): Connected to the server.
> > > > > 2007/04/25 11:18:35 ossec-agent(1951): Analyzing event log:
'Application'.
> > > > > 2007/04/25 11:18:44 ossec-agent(1951): Analyzing event log:
'Security'.
> > > > > 2007/04/25 11:19:44 ossec-agent(1951): Analyzing event log:
'System'.
> > > > > 2007/04/25 11:19:53 ossec-agent(1952): Monitoring variable log
file:
> > > > >
'C:\WINDOWS\system32\LogFiles\MSFTPSVC1\ex070425.log'.
> > > > > 2007/04/25 11:19:53 ossec-agent(1950): Analyzing file:
> > > > >
'C:\WINDOWS\system32\LogFiles\MSFTPSVC1\ex070425.log'.
> > > > > 2007/04/25 11:19:53 ossec-agent(1952): Monitoring variable log
file:
> > > > >
'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > > > > 2007/04/25 11:19:53 ossec-agent(1103): Unable to open file
> > > > >
'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > > > > 2007/04/25 11:19:53 ossec-agent(1950): Analyzing file:
> > > > >
'C:\WINDOWS\system32\LogFiles\W3SVC1\ex070425.log'.
> > > > > 2007/04/25 11:19:54 ossec-agent: Started (pid: 1012).
> > > > > 2007/04/25 11:20:00 ossec-agent(1218): Unable to send message to
server.
> > > > > .
> > > > > .
> > > > > .
> > > > > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to
server.
> > > > > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to
server.
> > > > > 2007/04/25 11:26:49 ossec-agent(1218): Unable to send message to
server.
> > > > > 2007/04/25 11:27:01 Remote socket busy, waiting 0 s.
> > > > > 2007/04/25 11:27:02 Remote socket busy, waiting 0 s.
> > > > > 2007/04/25 11:27:45 Remote socket busy, waiting 0 s.
> > > > > 2007/04/25 11:28:52 Remote socket busy, waiting 0 s.
> > > > > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to
server.
> > > > > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to
server.
> > > > > 2007/04/25 11:29:41 ossec-agent(1218): Unable to send message to
server.
> > > > >
> > > > > According to the web stats I'm processing around 20,000 events per
> > > > > hour which is far less then the performance limit talked about in
the
> > > > > OSSEC blog.  Any ideas?
> > > > >
> > > >
> > >
> >
>
OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.