Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het volgende: > > On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es > <vanesm...@gmail.com<javascript:>> > wrote: > > Hello, > > > > We have installed OSSEC 2.7 on a CentOS machine which is working fine > with > > several Windows and Linux agents. > > We are trying to install the OSSEC 2.7 agent package on a Windows 2008 > > server which goes well but at end, after the manual agent config (ip and > > secret) and restarting of the service, we still see that the agent is > never > > connected: > > > > On the OSSEC server: > > > > ID: 1368, Name: server001, IP: x.x.x.x, Never connected > > > > Is there any useful information in the ossec server's ossec.log (if I > missed it I'm sorry)? > If you start the ossec processes on the server in debug mode, do you > receive log messages then? > Is the syscheck db for the agent populated > (/var/ossec/queue/syscheck/STUFF)? > Any alerts based on log messages from the agent? >
We see nothing in the server's ossec.log (we do see the ossec-authd connection). We see UDP traffic on the server between server <==> agent We don't have this issue with Windows 2003 and finally we tried 2.6 and 2.7 and both dont work (are logging on the agent that everything is working fine but nothing on the server). I will try the debug mode and if the syscheck db is populated. > > > > On the agent in c:\program files(x86)\ossec-agent\ossec.log we see: > > > > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the server > > (*server ip*:1514). > > > > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows Server > > 2008. > > > > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > > 'Application'. > > > > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > > 'Security'. > > > > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: > 'System'. > > > > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). > > > > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan > (forwarding > > database). > > > > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck database > > (pre-scan). > > > > This is strange, we checked the connection (connection can be made to > server > > udp 1514) but we don't see anything in the servers logfile in > > /var/ossec/log/ossec.log > > > > Is there anything we can do to further investigate? > > Service seems to be running fine and the OSSEC agent logfile shows that > > nothing is broken but the server never sees the succesful connection. > > > > Michiel > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
