[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: OSSEC 1.3 and Windows 2003 64-bit Agent disconnects

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: OSSEC 1.3 and Windows 2003 64-bit Agent disconnects
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Sun, 21 Oct 2007 19:33:26 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 209.85.198.189 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=iPEcV3oOVJDQ7CyW2OqxPx2HDPGIIkx77lHu375MOjg=; b=S4fscWsPmRTUcY6bU/cYBdtFT+V+CVUCxOUUa4lLyV+Ml5Puu7yzK6xoFDcFr6k1gYAYRRdO/nj3voeoCfyJTeC/MlpnmfQTWNir/c55SGxNq3DmMobSqyusz65K12dL+Tyr8PPwdjhFv/oyXrkqV2Ilsr5oXdasrAZNf81HpBU=

Hi Peter,

>From your log, it looks like that the agent is working fine, but for
some reason losing the connection to the server very often (and
reconnecting right away). Are you getting events from this agent? Is
there an entry for it at /var/ossec/queue/syscheck ? Is your server
reporting that the agent is going down?

It is funny that I saw this already on another Windows 2003 system,
but could not reproduce it anywhere else...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 10/18/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>
> Greetings:
>
> The steps listed on http://www.ossec.net/wiki/index.php/Errors:AgentCommunication
> worked for a CentOS 5, 64-bit machine; but did not work on Windows
> 2003, 64-bit.
>
> 2007/10/17 21:12:00 ossec-agent: Assigning sender counter: 15:3287
> 2007/10/17 21:12:00 ossec-agent: Connecting to server ([central server
> ip]:1514).
> 2007/10/17 21:12:00 ossec-agent: Starting syscheckd thread.
> 2007/10/17 21:12:00 ossec-rootcheck: Started (pid: 1108).
> 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Classes'.
> 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
> 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Software\Policies'.
> 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
> 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
> 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry:
> 'HKEY_LOCAL_MACHINE\Security'.
> 2007/10/17 21:12:00 ossec-agent: Monitoring directory: 'C:\WINDOWS'.
> 2007/10/17 21:12:00 ossec-agent: Started (pid: 1108).
> 2007/10/17 21:12:01 ossec-agent(4102): Connected to the server.
> 2007/10/17 21:12:01 ossec-agent(1951): Analyzing event log:
> 'Application'.
> 2007/10/17 22:29:55 ossec-agent: Event count after '20000': 4135462-
> >3503968 (84%)
> 2007/10/17 23:35:24 ossec-agent: Server unavailable. Setting lock.
> 2007/10/17 23:35:25 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 00:27:26 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 00:27:29 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 01:32:46 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 01:32:47 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 02:51:07 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 02:51:08 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 03:23:39 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 03:23:42 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 03:56:13 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 03:56:14 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 05:20:58 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 05:20:59 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 06:06:30 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 06:06:33 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 06:39:04 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 06:39:05 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 07:11:36 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 07:11:39 ossec-agent: Server responded. Releasing lock.
> 2007/10/18 07:44:09 ossec-agent: Server unavailable. Setting lock.
> 2007/10/18 07:44:12 ossec-agent: Server responded. Releasing lock.
>
>
> How can this be fixed?
>
> Thank you.
>
>

References:
- [ossec-list] OSSEC 1.3 and Windows 2003 64-bit Agent disconnects
  - From: Peter M. Abraham

Prev by Date: [ossec-list] Re: Solved: troubleshooting syscheck suggestions?
Next by Date: [ossec-list] Re: Active Responses
Previous by thread: [ossec-list] Re: OSSEC 1.3 and Windows 2003 64-bit Agent disconnects
Next by thread: [ossec-list] Strange behaviour with some agents...
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.