we are working on 2.6 Here is the issue.
I have one Windows 2003 agent that can't talk to the server. No firewalls Windows ossec.log 2012/08/21 10:02:06 ossec-agent: INFO: Started (pid: 5392). 2012/08/21 10:02:16 ossec-agent: WARN: Process locked. Waiting for permission... 2012/08/21 10:02:27 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '144.122.190.48'. 2012/08/21 10:02:29 ossec-agent: INFO: Trying to connect to server (144.122.190.48:1514). 2012/08/21 10:02:31 ossec-agent: Received exit signal. 2012/08/21 10:02:31 ossec-agent: Exiting... Server 2012/08/21 10:03:13 ossec-remoted(1403): ERROR: Incorrectly formated message from '144.122.218.24'. Config <!-- OSSEC Win32 Agent Configuration. - This file is compost of 3 main sections: - - Client config - Settings to connect to the OSSEC server. - - Localfile - Files/Event logs to monitor. - - syscheck - System file/Registry entries to monitor. --> <!-- READ ME FIRST. If you are configuring OSSEC for the first time, - try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent - to execute it. - - First, add a server-ip entry with the real IP of your server. - Second, and optionally, change the settings of the files you want - to monitor. Look at our Manual and FAQ for more information. - Third, start the Agent and enjoy. - - Example of server-ip: - <client> <server-ip>1.2.3.4</server-ip> </client> --> <ossec_config> <!-- One entry for each file/Event log to monitor. --> <!-- <localfile> <location>Application</location> <log_format>eventlog</log_format> </localfile> <localfile> <location>Security</location> <log_format>eventlog</log_format> </localfile> <localfile> <location>System</location> <log_format>eventlog</log_format> </localfile> --> <!-- Rootcheck - Policy monitor config --> <rootcheck> <windows_audit>./shared/win_audit_rcl.txt</windows_audit> <windows_apps>./shared/win_applications_rcl.txt</windows_apps> <windows_malware>./shared/win_malware_rcl.txt</windows_malware> </rootcheck> <!-- Syscheck - Integrity Checking config. --> <syscheck> <!-- Default frequency, every 18 hours. It doesn't need to be higher - on most systems and one a day should be enough. --> <frequency>64800</frequency> <!-- By default it is disabled. In the Install you must choose - to enable it. --> <disabled>no</disabled> <!-- Default files to be monitored - system32 only. --> <directories check_all="yes">%WINDIR%/system32</directories> <!-- Default files to be ignored. --> <ignore>%WINDIR%/System32/LogFiles</ignore> <ignore>%WINDIR%/system32/wbem/Logs</ignore> <ignore>%WINDIR%/system32/config</ignore> <ignore>%WINDIR%/system32/CatRoot</ignore> <ignore>%WINDIR%/system32/wbem/Repository</ignore> <ignore>%WINDIR%/system32/dllcache</ignore> <ignore>%WINDIR%/system32/inetsrv/History</ignore> <ignore>%WINDIR%/system32/winevt/Logs</ignore> <ignore>%WINDIR%/system32/spool</ignore> <ignore>%WINDIR%/system32/Tasks</ignore> <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> <!-- Windows registry entries to monitor. --> <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> <!-- Windows registry entries to ignore. --> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore> <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore> <registry_ignore type="sregex">\Enum$</registry_ignore> </syscheck> </ossec_config> <!-- END of Default Configuration. --> <ossec_config> <client> <server-ip>144.122.190.48</server-ip> </client> </ossec_config> ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael_barr...@mgic.com This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: "dan (ddp)" <ddp...@gmail.com> To: ossec-list@googlegroups.com Date: 08/21/2012 09:58 AM Subject: Re: [ossec-list] 2.5.1 Sent by: ossec-list@googlegroups.com On Tue, Aug 21, 2012 at 10:52 AM, Michael Barrett <michael_barr...@mgic.com> wrote: > > Anyone know where I can download version 2.5.1 server? Can only find 2.6 on > the OSSEC site but need the 2.5.1 version. > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * michael_barr...@mgic.com > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. I'd start by looking in 2010. 2.6 is the latest version, and we don't encourage using anything older.