Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het volgende: > > On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es > <vanesm...@gmail.com<javascript:>> > wrote: > > > > > > Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het > > volgende: > >> > >> > >> > >> Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het > >> volgende: > >>> > >>> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es <vanesm...@gmail.com> > >>> wrote: > >>> > Hello, > >>> > > >>> > We have installed OSSEC 2.7 on a CentOS machine which is working > fine > >>> > with > >>> > several Windows and Linux agents. > >>> > We are trying to install the OSSEC 2.7 agent package on a Windows > 2008 > >>> > server which goes well but at end, after the manual agent config (ip > >>> > and > >>> > secret) and restarting of the service, we still see that the agent > is > >>> > never > >>> > connected: > >>> > > >>> > On the OSSEC server: > >>> > > >>> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected > >>> > > >>> > >>> Is there any useful information in the ossec server's ossec.log (if I > >>> missed it I'm sorry)? > >>> If you start the ossec processes on the server in debug mode, do you > >>> receive log messages then? > >>> Is the syscheck db for the agent populated > >>> (/var/ossec/queue/syscheck/STUFF)? > >>> Any alerts based on log messages from the agent? > >> > >> > >> We see nothing in the server's ossec.log (we do see the ossec-authd > >> connection). > > The agent shouldn't be making multiple authd connections... > > >> We see UDP traffic on the server between server <==> agent > >> We don't have this issue with Windows 2003 and finally > >> we tried 2.6 and 2.7 and both dont work (are logging on the agent that > >> everything is working fine but nothing on the server). > > > > > > Extra information with debugging logging on: > > > > (too much to paste here:) > > http://pastebin.com/hEyc9VLA > > > > Any luck on getting the debug info from the server? How about checking > the syscheck db? Alerts? >
no entry/file in /var/ossec/queue/syscheck. I was a little hesitant to turn on debugging on the server since more then 300 agents are connected..will do that in a controlled matter. I am seeing entries in /var/ossec/log/alerts/* so the connection is working the only problem is that the agent_control -l says it has never connected. This makes it difficult for us to see which nodes are down or not. > > Does the agent have a file in /var/ossec/queue/agent-info? If so, try > stopping the ossec processes on the server, moving that file, and > starting the processes back up. > Yes file is existent. Moved and restarted but agent is still never connected. > > Try turning on the log all option on the server, and check for the > agent's logs in the archive.log file. > Before I turn all kinds of logging can we pinpoint it to the agent_control check? Alerts are coming in and thus network connection and such are working fine. > > >> > >> I will try the debug mode and if the syscheck db is populated. > >>> > >>> > >>> > >>> > On the agent in c:\program files(x86)\ossec-agent\ossec.log we see: > >>> > > >>> > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the server > >>> > (*server ip*:1514). > >>> > > >>> > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows > >>> > Server > >>> > 2008. > >>> > > >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > >>> > 'Application'. > >>> > > >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: > >>> > 'Security'. > >>> > > >>> > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: > >>> > 'System'. > >>> > > >>> > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). > >>> > > >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan > >>> > (forwarding > >>> > database). > >>> > > >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck database > >>> > (pre-scan). > >>> > > >>> > This is strange, we checked the connection (connection can be made > to > >>> > server > >>> > udp 1514) but we don't see anything in the servers logfile in > >>> > /var/ossec/log/ossec.log > >>> > > >>> > Is there anything we can do to further investigate? > >>> > Service seems to be running fine and the OSSEC agent logfile shows > that > >>> > nothing is broken but the server never sees the succesful > connection. > >>> > > >>> > Michiel > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to ossec-list+...@googlegroups.com. > >>> > For more options, visit https://groups.google.com/groups/opt_out. > >>> > > >>> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.