The log is showing everything working to be working correctly now, but it seems as if it had trouble connecting to the server initially. The server is a Windows 2008 server. I'm running OSSEC on quite a few other windows hosts. This is the only time I've experienced any trouble.
2010/12/20 18:53:03 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 19:00:53 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 19:01:14 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 19:09:22 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 19:09:43 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 19:18:09 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 19:18:30 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 19:27:14 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 19:27:35 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 19:36:37 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 19:36:58 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 19:46:18 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 19:46:39 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 19:56:17 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 19:56:38 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 20:06:34 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 20:06:55 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 20:17:09 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 20:17:30 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 20:28:02 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 20:28:23 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 'xxx.xxx.xxx.xxx'. 2010/12/20 20:39:13 ossec-agent: INFO: Trying to connect to server (xxx.xxx.xxx.xxx:1514). 2010/12/20 20:39:23 ossec-agent(4102): INFO: Connected to the server (xxx.xxx.xxx.xxx:1514). 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2010/12/20 20:39:23 ossec-agent: INFO: Started (pid: 2644). 2010/12/20 20:39:24 ossec-agent: INFO: Lock free. Continuing... 2010/12/20 20:40:14 ossec-agent: INFO: Starting syscheck scan (forwarding database). 2010/12/20 20:40:14 ossec-agent: INFO: Starting syscheck database (pre-scan). 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: 'C:\boot.ini': No such file or directory 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/CONFIG.NT': No such file or directory 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/debug.exe': No such file or directory 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwatson.exe': No such file or directory 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwtsn32.exe': No such file or directory 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/edlin.exe': No such file or directory 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/eventtriggers.exe': No such file or directory 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rcp.exe': No such file or directory 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rexec.exe': No such file or directory 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rsh.exe': No such file or directory 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/telnet.exe': No such file or directory 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tftp.exe': No such file or directory 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tlntsvr.exe': No such file or directory 2010/12/20 20:40:17 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed). 2010/12/20 20:40:27 ossec-agent: INFO: Ending syscheck scan (forwarding database). 2010/12/20 20:40:47 ossec-agent: INFO: Starting rootcheck scan. 2010/12/20 20:40:52 ossec-agent: INFO: Ending rootcheck scan. Tyler Ross -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of dan (ddp) Sent: Tuesday, December 21, 2010 1:56 PM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] OSSEC client on Server 2003 (Unable to start OSSEC (check config)). On Tue, Dec 21, 2010 at 1:42 PM, <tyler.r...@l-3com.com> wrote: > I'm running into issues installing the OSSEC 2.5.1 client on a windows 2008 > R2 server. After repeated un-installation and reinstallation I am unable to > start the OSSEC client from the OSSEC Agent Manager, receiving an "Unable to > start OSSEC (check config)." Error code. > > > > My initial installation worked correctly, and I changed the OSSEC config > file to monitor log files in a specific directory. I mistyped the entry > which, in turn, caused the error mentioned above. After correcting the > config file I still received this error message when starting the agent > process. So, I decided to uninstall and re-install. I then uninstalled, > deleted the parent directory, and re-installed a number of times. I've > deleted and re-created the agent in the server a number of times, and I am > still receiving the error message every time I attempt to start the process > from the OSSEC Agent Manager. > > > > Now here's where things get odd. I found the OSSEC Hids process to be > running on the server. However, the Agent Manager lists it as "Stopped". > The server shows the agent as "active" as well. > > > > Any help with this issue is very much appreciated. Thank you! > > > > > > > > > > > > Tyler Ross > > 2003 or 2008? Are there any useful entries in the ossec.log on the agent? Are the ossec processes seen in the services configuration for the system (I don't do much with the Windows agent, so I don't have any clue if they should)?
