Hi Peter (and everyone else with this issue), Can you go to internal_options.conf on C:\program files\ossec-agent and set the windows.debug flag to 2:
windows.debug=2 After that, let is log for a few hours (and a couple of disconnects) and send me the final log? It should be big, but with enough information for me to debug it. *btw, is everyone else seeing the alerts from the server when it disconnects or only in the agent log file? **This problem is only happening on win2003, right? Any other versions affected? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, May 6, 2008 at 11:38 AM, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Daniel: > > If it helps, from the 64-bit Windows 2003 ossec.log > > 2007/11/27 19:52:00 ossec-agent: Started (pid: 2116). > > 2007/11/27 19:52:01 ossec-agent(4102): Connected to the server. > > 2007/11/27 19:52:01 ossec-agent(1951): Analyzing event log: > 'Application'. > > 2007/11/27 19:52:01 ossec-agent(1951): Analyzing event log: > 'Security'. > > 2007/11/27 19:52:01 ossec-agent(1951): Analyzing event log: 'System'. > > 2007/11/27 19:52:02 ossec-agent: Started (pid: 2116). > > 2007/11/27 20:04:58 ossec-agent(1123): Unable to delete file: 'shared/ > system_audit_rcl.txt'. > > 2007/11/27 21:42:34 ossec-agent: Server unavailable. Setting lock. > > 2007/11/27 21:42:35 ossec-agent: Server responded. Releasing lock. > > 2007/11/27 22:28:06 ossec-agent: Server unavailable. Setting lock. > > 2007/11/27 22:28:09 ossec-agent: Server responded. Releasing lock. > > 2007/11/27 23:00:40 ossec-agent: Server unavailable. Setting lock. > > 2007/11/27 23:00:41 ossec-agent: Server responded. Releasing lock. > > 2007/11/27 23:33:11 ossec-agent: Server unavailable. Setting lock. > > 2007/11/27 23:33:14 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 00:05:45 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 00:05:48 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 01:30:21 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 01:30:24 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 02:41:57 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 02:42:00 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 03:14:30 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 03:14:31 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 03:47:02 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 03:47:05 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 04:19:36 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 04:19:39 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 05:11:41 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 05:11:44 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 06:03:45 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 06:03:46 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 06:49:17 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 06:49:20 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 07:21:51 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 07:21:54 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 07:54:24 ossec-agent: Server unavailable. Setting lock. > > 2007/11/28 07:54:25 ossec-agent: Server responded. Releasing lock. > > 2007/11/28 08:22:52 ossec-agent: Received exit signal. > > 2007/11/28 08:22:52 ossec-agent: Exiting... > > > All of the servers in question (ossec server and ossec clients) are in > the same network segment / same physical rack. > > Thank you. >
