On Fri, Jan 14, 2011 at 4:52 PM, anderscooter <dav.a.ander...@gmail.com> wrote: > It looks like the problem at remote sites with large security logs and > every so often one of the message updates fail. We really don't need > to monitor the Windows Event logs. Is the only way to do this in the > Windows Agent config or can this be done at the OSSEC server level. >
I had an agent (not windows...) giving the same error about not being able to send the message to the server. I re-imported the key and it seems to have fixed things. > On Jan 14, 2:10 pm, anderscooter <dav.a.ander...@gmail.com> wrote: >> Yes the IP address is unique. I will have to get with the Unix team to >> see if they can enable debugging on the server. They did look at the >> logs with out debugging on and didn't see anything out of the >> ordinary. >> >> And on high level debugging on the Windows Agent it will says things >> like this over and over again with the same "Audit Success IDs" and it >> looks like its all the WinEvtLogs. >> >> 2011/01/14 14:03:17 ossec-agent: DEBUG: Attempting to send message to >> server. >> 2011/01/14 14:03:17 ossec-agent: DEBUG: Sending message to server: >> 'WinEvtLog: Security: AUDIT_SUCCESS(5145) >> >> On Jan 14, 11:26 am, "dan (ddp)" <ddp...@gmail.com> wrote: >> >> >> >> > Hi anderscooter, >> >> > On Fri, Jan 14, 2011 at 11:16 AM, anderscooter <dav.a.ander...@gmail.com> >> > wrote: >> > > We are connecting to the server, but get these message 'Unable to send >> > > message to server". I enabled debugging but I cannot seem to find a >> > > reason for the messages. This is only happening on a couple servers >> > > and cannot find any commonality among the affected machines. >> >> > Try checking the ossec.log on the manager, to see if there are any >> > helpful messages there. >> > Also, make sure all agents have a unique IP in manage_agents (or are >> > using a CIDR, that doesn't have to be unique). >> >> > > 2011/01/14 09:02:50 ossec-agent(4102): INFO: Connected to the server >> > > (xx.xxx.xxx.xxx:1514). >> > > 2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log: >> > > 'Application'. >> > > 2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log: >> > > 'Security'. >> > > 2011/01/14 09:02:53 ossec-agent(1951): INFO: Analyzing event log: >> > > 'System'. >> > > 2011/01/14 09:02:53 ossec-agent: INFO: Started (pid: 2508). >> > > 2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck scan >> > > (forwarding database). >> > > 2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck database (pre- >> > > scan). >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \boot.ini': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/CONFIG.NT': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/AUTOEXEC.NT': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/debug.exe': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/drwatson.exe': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/drwtsn32.exe': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/edlin.exe': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/eventtriggers.exe': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/rcp.exe': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/rexec.exe': No such file or directory >> > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/rsh.exe': No such file or directory >> > > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/telnet.exe': No such file or directory >> > > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/tftp.exe': No such file or directory >> > > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: >> > > \Windows/System32/tlntsvr.exe': No such file or directory >> > > 2011/01/14 09:03:51 ossec-agent: INFO: Finished creating syscheck >> > > database (pre-scan completed). >> > > 2011/01/14 09:04:01 ossec-agent: INFO: Ending syscheck scan >> > > (forwarding database). >> > > 2011/01/14 09:04:21 ossec-agent: INFO: Starting rootcheck scan. >> > > 2011/01/14 09:04:26 ossec-agent: INFO: Ending rootcheck scan. >> > > 2011/01/14 09:06:29 ossec-agent(1218): ERROR: Unable to send message >> > > to server. >> > > 2011/01/14 09:15:12 ossec-agent: INFO: Event count after '20000': >> > > 17316711->10266128 (59%) >> > > 2011/01/14 09:28:17 ossec-agent: INFO: Event count after '20000': >> > > 17313995->10316576 (59%) >> > > 2011/01/14 09:36:07 ossec-agent(1218): ERROR: Unable to send message >> > > to server. >> > > 2011/01/14 09:41:54 ossec-agent: INFO: Event count after '20000': >> > > 17270398->10257672 (59%) >> > > 2011/01/14 09:48:51 ossec-agent(1218): ERROR: Unable to send message >> > > to server. >> > > 2011/01/14 09:53:55 ossec-agent(1218): ERROR: Unable to send message >> > > to server. >> > > 2011/01/14 09:54:08 ossec-agent: INFO: Event count after '20000': >> > > 17289252->10263464 (59%) >> > > 2011/01/14 10:01:19 ossec-agent(1218): ERROR: Unable to send message >> > > to server. >> > > 2011/01/14 10:09:22 ossec-agent: INFO: Event count after '20000': >> > > 17223575->10223496 (59%)- Hide quoted text - >> >> > - Show quoted text -- Hide quoted text - >> >> - Show quoted text -