[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Windows client communication issue

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Windows client communication issue
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Tue, 16 Oct 2007 23:22:48 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 66.249.82.230 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Cc: rmills@xxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=xTS/NPZRuiKXTNlzX3R4iCMzDRgj0cddivoTmhuc88w=; b=Wyn1JCidKPDW3SoOqXR0esHSrQalHonGSU58ClcKwP/v8eGo/8f5FrhPDMFcl7BvnH6TuUvcbl5qt6hy9k+zPK9cVT17oJ/dHKojBh86iKET4F0JpdHw9OC9kjGjLaQn2TFA/wFUfq31L7/vFh2QFyxzXD2IzVVCqjIYezSMK94=

Hi,

I am guessing this is a problem in the configuration of the keys. From the log,
the server is saying that the key used by the agent doesn't match what is has
in there... Are these systems behind a NAT device? I mean, is the server and
the agents all in the same LAN or just the two agents?

Take a look at the following entries in the FAQ:
http://www.ossec.net/wiki/index.php/Errors:AgentCommunication
http://www.ossec.net/wiki/index.php/Errors:1403

And see if they can help you. If not, please give us the following info:
http://www.ossec.net/wiki/index.php/Community_manual:BugReport

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 10/15/07, Ry  Mills <rmills@xxxxxxxxxxxxxx> wrote:
>
>
>
>
> My server is setup on Ubuntu. I have 2 Windows XP PC's and 1 W2K server
> setup with the Windows client. The first PC I setup works fine. I then setup
> the W2K Server and the other XP server and get the Waiting for server reply
> response.. All of these systems are on our LAN which doesn't go through a
> firewall and firewall is not active on the XP PC's. Any ideas on what might
> be causing this? At the very bottom is the server log pertaining to these
> two clients. Any ideas on what is going on?
>
>
>
>
>
> XP client Log which does not work
>
>
>
> 2007/10/10 14:45:01 ossec-agent: Connecting to server (192.168.2.96:1514).
>
> 2007/10/10 14:45:01 ossec-agent: Starting syscheckd thread.
>
> 2007/10/10 14:45:01 ossec-rootcheck: Started (pid: 720).
>
> 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes'.
>
> 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
>
> 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Policies'.
>
> 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
>
> 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
>
> 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Security'.
>
> 2007/10/10 14:45:01 ossec-agent: Monitoring directory: 'C:\WINDOWS'.
>
> 2007/10/10 14:45:01 ossec-agent: Started (pid: 720).
>
> 2007/10/10 14:45:16 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:45:32 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:46:03 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:46:49 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:47:50 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:49:06 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:50:37 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:52:23 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:54:24 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:56:40 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 14:59:11 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 15:01:57 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 15:04:58 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 15:08:14 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 15:11:45 ossec-agent(4101): Waiting for server reply (not
> started).
>
> 2007/10/10 15:12:58 ossec-agent: Server unavailable. Setting lock.
>
>
>
>
>
>
>
> XP client log which does work
>
>
>
> 2007/10/05 14:24:24 ossec-agent: Connecting to server (192.168.2.96:1514).
>
> 2007/10/05 14:24:24 ossec-agent: Starting syscheckd thread.
>
> 2007/10/05 14:24:24 ossec-rootcheck: Started (pid: 792).
>
> 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes'.
>
> 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
>
> 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Policies'.
>
> 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
>
> 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
>
> 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Security'.
>
> 2007/10/05 14:24:24 ossec-agent: Monitoring directory: 'C:\WINDOWS'.
>
> 2007/10/05 14:24:24 ossec-agent: Started (pid: 792).
>
> 2007/10/05 14:24:25 ossec-agent(4102): Connected to the server.
>
> 2007/10/05 14:24:26 ossec-agent(1951): Analyzing event log: 'Application'.
>
> 2007/10/05 14:24:29 ossec-agent(1123): Unable to delete file:
> 'shared/ar.conf'.
>
> 2007/10/05 14:24:31 ossec-agent(1951): Analyzing event log: 'Security'.
>
> 2007/10/05 14:24:33 ossec-agent(1951): Analyzing event log: 'System'.
>
> 2007/10/05 14:24:36 ossec-agent(1952): Monitoring variable log file:
> 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex071005.log'.
>
> 2007/10/05 14:24:36 ossec-agent(1103): Unable to open file
> 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex071005.log'.
>
> 2007/10/05 14:24:36 ossec-agent(1950): Analyzing file:
> 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex071005.log'.
>
> 2007/10/05 14:24:36 ossec-agent: Started (pid: 792).
>
>
>
>
>
>
>
> Server Log
>
>
>
> Ossec-remoted(1403) : Incorrectly formatted message from IP (This is from my
> Windows 2000 Client)
>
>
>
> Ossec-remoted(1213) : Message from IP not allowed (This is from my XP
> client). As a reminder my XP clients do not run Windows firewall and there
> is no firewall between client/server.
>
>
>
> Any help would be appreciated.
>
> Thanks.
>
>

References:
- [ossec-list] Windows client communication issue
  - From: Ry Mills

Prev by Date: [ossec-list] Re: Windows client communication issue
Next by Date: [ossec-list] Re: How are rules enacted?
Previous by thread: [ossec-list] Re: Windows client communication issue
Next by thread: [ossec-list] Whitelist - Reverse Lookups
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.