On Tue, Dec 21, 2010 at 2:30 PM, <tyler.r...@l-3com.com> wrote: > Any idea's why the Agent Manager would be showing the process as stopped > although it is running? And why it would be telling me there is a config > file issue (even though the process is running)? > > > > > > Tyler Ross >
I don't have any idea. I'm not very familiar with the Agent Manager and how it interacts with the system/OSSEC services. > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On > Behalf Of dan (ddp) > Sent: Tuesday, December 21, 2010 2:22 PM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] OSSEC client on Server 2003 (Unable to start OSSEC > (check config)). > > On Tue, Dec 21, 2010 at 2:14 PM, <tyler.r...@l-3com.com> wrote: >> The log is showing everything working to be working correctly now, but it >> seems as if it had trouble connecting to the server initially. The server >> is a Windows 2008 server. I'm running OSSEC on quite a few other windows >> hosts. This is the only time I've experienced any trouble. >> >> 2010/12/20 18:53:03 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 19:00:53 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). > > You should check the manager's ossec.log for log messages around these > times. It might give you a clue as to what was going wrong. > >> 2010/12/20 19:01:14 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 19:09:22 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 19:09:43 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 19:18:09 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 19:18:30 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 19:27:14 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 19:27:35 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 19:36:37 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 19:36:58 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 19:46:18 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 19:46:39 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 19:56:17 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 19:56:38 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 20:06:34 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 20:06:55 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 20:17:09 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 20:17:30 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 20:28:02 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 20:28:23 ossec-agent(4101): WARN: Waiting for server reply (not >> started). Tried: 'xxx.xxx.xxx.xxx'. >> 2010/12/20 20:39:13 ossec-agent: INFO: Trying to connect to server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 20:39:23 ossec-agent(4102): INFO: Connected to the server >> (xxx.xxx.xxx.xxx:1514). >> 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: >> 'Application'. >> 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: 'Security'. >> 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: 'System'. >> 2010/12/20 20:39:23 ossec-agent: INFO: Started (pid: 2644). >> 2010/12/20 20:39:24 ossec-agent: INFO: Lock free. Continuing... >> 2010/12/20 20:40:14 ossec-agent: INFO: Starting syscheck scan (forwarding >> database). >> 2010/12/20 20:40:14 ossec-agent: INFO: Starting syscheck database (pre-scan). >> 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: >> 'C:\boot.ini': No such file or directory >> 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/CONFIG.NT': No such file or directory >> 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory >> 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/debug.exe': No such file or directory >> 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/drwatson.exe': No such file or directory >> 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/drwtsn32.exe': No such file or directory >> 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/edlin.exe': No such file or directory >> 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/eventtriggers.exe': No such file or directory >> 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rcp.exe': No such file or directory >> 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rexec.exe': No such file or directory >> 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rsh.exe': No such file or directory >> 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/telnet.exe': No such file or directory >> 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/tftp.exe': No such file or directory >> 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/tlntsvr.exe': No such file or directory >> 2010/12/20 20:40:17 ossec-agent: INFO: Finished creating syscheck database >> (pre-scan completed). >> 2010/12/20 20:40:27 ossec-agent: INFO: Ending syscheck scan (forwarding >> database). >> 2010/12/20 20:40:47 ossec-agent: INFO: Starting rootcheck scan. >> 2010/12/20 20:40:52 ossec-agent: INFO: Ending rootcheck scan. >> >> >> >> >> >> >> Tyler Ross >> >> >> >> -----Original Message----- >> From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On >> Behalf Of dan (ddp) >> Sent: Tuesday, December 21, 2010 1:56 PM >> To: ossec-list@googlegroups.com >> Subject: Re: [ossec-list] OSSEC client on Server 2003 (Unable to start OSSEC >> (check config)). >> >> On Tue, Dec 21, 2010 at 1:42 PM, <tyler.r...@l-3com.com> wrote: >>> I'm running into issues installing the OSSEC 2.5.1 client on a windows 2008 >>> R2 server. After repeated un-installation and reinstallation I am unable to >>> start the OSSEC client from the OSSEC Agent Manager, receiving an "Unable to >>> start OSSEC (check config)." Error code. >>> >>> >>> >>> My initial installation worked correctly, and I changed the OSSEC config >>> file to monitor log files in a specific directory. I mistyped the entry >>> which, in turn, caused the error mentioned above. After correcting the >>> config file I still received this error message when starting the agent >>> process. So, I decided to uninstall and re-install. I then uninstalled, >>> deleted the parent directory, and re-installed a number of times. I've >>> deleted and re-created the agent in the server a number of times, and I am >>> still receiving the error message every time I attempt to start the process >>> from the OSSEC Agent Manager. >>> >>> >>> >>> Now here's where things get odd. I found the OSSEC Hids process to be >>> running on the server. However, the Agent Manager lists it as "Stopped". >>> The server shows the agent as "active" as well. >>> >>> >>> >>> Any help with this issue is very much appreciated. Thank you! >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Tyler Ross >>> >>> >> >> 2003 or 2008? >> Are there any useful entries in the ossec.log on the agent? >> Are the ossec processes seen in the services configuration for the >> system (I don't do much with the Windows agent, so I don't have any >> clue if they should)? >> >