Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het volgende: > > > > Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het volgende: >> >> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es <vanesm...@gmail.com> >> wrote: >> > Hello, >> > >> > We have installed OSSEC 2.7 on a CentOS machine which is working fine >> with >> > several Windows and Linux agents. >> > We are trying to install the OSSEC 2.7 agent package on a Windows 2008 >> > server which goes well but at end, after the manual agent config (ip >> and >> > secret) and restarting of the service, we still see that the agent is >> never >> > connected: >> > >> > On the OSSEC server: >> > >> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected >> > >> >> Is there any useful information in the ossec server's ossec.log (if I >> missed it I'm sorry)? >> If you start the ossec processes on the server in debug mode, do you >> receive log messages then? >> Is the syscheck db for the agent populated >> (/var/ossec/queue/syscheck/STUFF)? >> Any alerts based on log messages from the agent? >> > > We see nothing in the server's ossec.log (we do see the ossec-authd > connection). > We see UDP traffic on the server between server <==> agent > We don't have this issue with Windows 2003 and finally > we tried 2.6 and 2.7 and both dont work (are logging on the agent that > everything is working fine but nothing on the server). >
Extra information with debugging logging on: (too much to paste here:) http://pastebin.com/hEyc9VLA > I will try the debug mode and if the syscheck db is populated. > >> >> >> > On the agent in c:\program files(x86)\ossec-agent\ossec.log we see: >> > >> > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the server >> > (*server ip*:1514). >> > >> > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows >> Server >> > 2008. >> > >> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: >> > 'Application'. >> > >> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: >> > 'Security'. >> > >> > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: >> 'System'. >> > >> > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). >> > >> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan >> (forwarding >> > database). >> > >> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck database >> > (pre-scan). >> > >> > This is strange, we checked the connection (connection can be made to >> server >> > udp 1514) but we don't see anything in the servers logfile in >> > /var/ossec/log/ossec.log >> > >> > Is there anything we can do to further investigate? >> > Service seems to be running fine and the OSSEC agent logfile shows that >> > nothing is broken but the server never sees the succesful connection. >> > >> > Michiel >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.