On Wed, Apr 17, 2013 at 11:46 AM, Michiel van Es <vanesmich...@gmail.com> wrote: > > > Op woensdag 17 april 2013 17:08:48 UTC+2 schreef dan (ddpbsd) het volgende: >> >> On Wed, Apr 17, 2013 at 10:39 AM, Michiel van Es <vanesm...@gmail.com> >> wrote: >> > >> > >> > Op woensdag 17 april 2013 15:44:03 UTC+2 schreef Michiel van Es het >> > volgende: >> >> >> >> >> >> >> >> Op woensdag 17 april 2013 15:19:38 UTC+2 schreef dan (ddpbsd) het >> >> volgende: >> >>> >> >>> On Wed, Apr 17, 2013 at 6:27 AM, Michiel van Es <vanesm...@gmail.com> >> >>> wrote: >> >>> > Hello, >> >>> > >> >>> > We have installed OSSEC 2.7 on a CentOS machine which is working >> >>> > fine >> >>> > with >> >>> > several Windows and Linux agents. >> >>> > We are trying to install the OSSEC 2.7 agent package on a Windows >> >>> > 2008 >> >>> > server which goes well but at end, after the manual agent config (ip >> >>> > and >> >>> > secret) and restarting of the service, we still see that the agent >> >>> > is >> >>> > never >> >>> > connected: >> >>> > >> >>> > On the OSSEC server: >> >>> > >> >>> > ID: 1368, Name: server001, IP: x.x.x.x, Never connected >> >>> > >> >>> >> >>> Is there any useful information in the ossec server's ossec.log (if I >> >>> missed it I'm sorry)? >> >>> If you start the ossec processes on the server in debug mode, do you >> >>> receive log messages then? >> >>> Is the syscheck db for the agent populated >> >>> (/var/ossec/queue/syscheck/STUFF)? >> >>> Any alerts based on log messages from the agent? >> >> >> >> >> >> We see nothing in the server's ossec.log (we do see the ossec-authd >> >> connection). >> >> The agent shouldn't be making multiple authd connections... >> >> >> We see UDP traffic on the server between server <==> agent >> >> We don't have this issue with Windows 2003 and finally >> >> we tried 2.6 and 2.7 and both dont work (are logging on the agent that >> >> everything is working fine but nothing on the server). >> > >> > >> > Extra information with debugging logging on: >> > >> > (too much to paste here:) >> > http://pastebin.com/hEyc9VLA >> > >> >> Any luck on getting the debug info from the server? How about checking >> the syscheck db? Alerts? > > > no entry/file in /var/ossec/queue/syscheck. > I was a little hesitant to turn on debugging on the server since more then > 300 agents are connected..will do that in a controlled matter. > I am seeing entries in /var/ossec/log/alerts/* so the connection is working > the only problem is that the agent_control -l says it has never connected. > This makes it difficult for us to see which nodes are down or not. > >> >> >> Does the agent have a file in /var/ossec/queue/agent-info? If so, try >> stopping the ossec processes on the server, moving that file, and >> starting the processes back up. > > > Yes file is existent. > Moved and restarted but agent is still never connected.
Is the file recreated? What is in that file? >> >> >> Try turning on the log all option on the server, and check for the >> agent's logs in the archive.log file. > > > Before I turn all kinds of logging can we pinpoint it to the agent_control > check? Alerts are coming in and thus network connection and such are working > fine. > Yes, it appears to be with the agent_control check. >> >> >> >> >> >> I will try the debug mode and if the syscheck db is populated. >> >>> >> >>> >> >>> >> >>> > On the agent in c:\program files(x86)\ossec-agent\ossec.log we see: >> >>> > >> >>> > 2013/04/17 11:17:16 ossec-agent(4102): INFO: Connected to the server >> >>> > (*server ip*:1514). >> >>> > >> >>> > 2013/04/17 11:17:16 ossec-agent: INFO: System is Vista or Windows >> >>> > Server >> >>> > 2008. >> >>> > >> >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: >> >>> > 'Application'. >> >>> > >> >>> > 2013/04/17 11:17:16 ossec-agent(1951): INFO: Analyzing event log: >> >>> > 'Security'. >> >>> > >> >>> > 2013/04/17 11:17:17 ossec-agent(1951): INFO: Analyzing event log: >> >>> > 'System'. >> >>> > >> >>> > 2013/04/17 11:17:17 ossec-agent: INFO: Started (pid: 6984). >> >>> > >> >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck scan >> >>> > (forwarding >> >>> > database). >> >>> > >> >>> > 2013/04/17 11:18:15 ossec-agent: INFO: Starting syscheck database >> >>> > (pre-scan). >> >>> > >> >>> > This is strange, we checked the connection (connection can be made >> >>> > to >> >>> > server >> >>> > udp 1514) but we don't see anything in the servers logfile in >> >>> > /var/ossec/log/ossec.log >> >>> > >> >>> > Is there anything we can do to further investigate? >> >>> > Service seems to be running fine and the OSSEC agent logfile shows >> >>> > that >> >>> > nothing is broken but the server never sees the succesful >> >>> > connection. >> >>> > >> >>> > Michiel >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to ossec-list+...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >>> > >> >>> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
