[ossec-list] Re: Windows agent disconnect

Tue, 20 May 2008 16:05:08 -0700 

I've installed the snapshots (server first and then Win agent).

I'll let it run and report back.

MT

-----Original Message-----
From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel 
Cid
Sent: Tuesday, May 20, 2008 3:23 PM
To: [email protected]
Subject: [ossec-list] Re: Windows agent disconnect


Hi List,

First of all, thanks to everyone who sent me logs and information to
debug it. I think
I fixed the problem, so feel free to test it with:

http://www.ossec.net/files/snapshots/ossec-hids-080520.tar.gz
http://www.ossec.net/files/snapshots/ossec-win32-080520.exe

It should have fixed this issue (please update the server before the agents).

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On Fri, May 9, 2008 at 12:33 PM, Trifiro, Mark T
<[EMAIL PROTECTED]> wrote:
>
> Not sure how the googlegroups handles a file attachment. It's too large to 
> paste into the email body. I am sending a debug log to Daniel's gmail address.
>
> MT
>
> -----Original Message-----
> From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of 
> Daniel Cid
> Sent: Thursday, May 08, 2008 4:54 PM
> To: [email protected]
> Subject: [ossec-list] Re: Windows agent disconnect
>
>
> Hi Peter (and everyone else with this issue),
>
> Can you go to internal_options.conf on C:\program files\ossec-agent
> and set the windows.debug flag
> to 2:
>
> windows.debug=2
>
>
> After that, let is log for a few hours (and a couple of disconnects)
> and send me the final log? It should
> be big, but with enough information for me to debug it.
>
> *btw, is everyone else seeing the alerts from the server when it
> disconnects or only in the agent log file?
> **This problem is only happening on win2003, right? Any other versions 
> affected?
>
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On Tue, May 6, 2008 at 11:38 AM, Peter M. Abraham
> <[EMAIL PROTECTED]> wrote:
>>
>> Greetings Daniel:
>>
>> If it helps, from the 64-bit Windows 2003 ossec.log
>>
>> 2007/11/27 19:52:00 ossec-agent: Started (pid: 2116).
>>
>> 2007/11/27 19:52:01 ossec-agent(4102): Connected to the server.
>>
>> 2007/11/27 19:52:01 ossec-agent(1951): Analyzing event log:
>> 'Application'.
>>
>> 2007/11/27 19:52:01 ossec-agent(1951): Analyzing event log:
>> 'Security'.
>>
>> 2007/11/27 19:52:01 ossec-agent(1951): Analyzing event log: 'System'.
>>
>> 2007/11/27 19:52:02 ossec-agent: Started (pid: 2116).
>>
>> 2007/11/27 20:04:58 ossec-agent(1123): Unable to delete file: 'shared/
>> system_audit_rcl.txt'.
>>
>> 2007/11/27 21:42:34 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/27 21:42:35 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/27 22:28:06 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/27 22:28:09 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/27 23:00:40 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/27 23:00:41 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/27 23:33:11 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/27 23:33:14 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 00:05:45 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 00:05:48 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 01:30:21 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 01:30:24 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 02:41:57 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 02:42:00 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 03:14:30 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 03:14:31 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 03:47:02 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 03:47:05 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 04:19:36 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 04:19:39 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 05:11:41 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 05:11:44 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 06:03:45 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 06:03:46 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 06:49:17 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 06:49:20 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 07:21:51 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 07:21:54 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 07:54:24 ossec-agent: Server unavailable. Setting lock.
>>
>> 2007/11/28 07:54:25 ossec-agent: Server responded. Releasing lock.
>>
>> 2007/11/28 08:22:52 ossec-agent: Received exit signal.
>>
>> 2007/11/28 08:22:52 ossec-agent: Exiting...
>>
>>
>> All of the servers in question (ossec server and ossec clients) are in
>> the same network segment / same physical rack.
>>
>> Thank you.
>>
>

Reply via email to