I have searched through the listings and the internet and cannot seem to find a solution to this issue.
We have approximately 3200 computers (Windows 7) that we are trying to get configured with OSSEC. The agent is part of the image that we are rolling out to the machines. All the machines have been added to the server (Ubuntu 12.04.4 LTS, OSSEC server v. 2.8) via manage_agents. I have written a script that runs via group policy that stops the ossec service, removes the client.keys and ossec.conf files from the machine, then copies over a new ossec.conf and client.keys file with the correct information (server IP and client key) and restarts the ossec service. If the windows client (v 2.8) is installed clean, it connects to the server and communicates properly. If it is done via the group policy (utilizing the exact same information), the following occurs (pulled from a log file on a clean machine): 2014/10/12 04:16:13 ossec-agent: Using notify time: 600 and max time to reconnect: 1800 2014/10/12 04:16:13 ossec-execd(1350): INFO: Active response disabled. Exiting. 2014/10/12 04:16:13 ossec-agent(1410): INFO: Reading authentication keys file. 2014/10/12 04:16:13 ossec-agent: INFO: No previous counter available for 'FRI-COMPUTER1'. 2014/10/12 04:16:13 ossec-agent: INFO: Assigning counter for agent FRI-COMPUTER1: '0:0'. 2014/10/12 04:16:13 ossec-agent: INFO: Assigning sender counter: 0:179 2014/10/12 04:16:13 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:16:13 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:16:13 ossec-agent: Starting syscheckd thread. 2014/10/12 04:16:13 ossec-rootcheck: INFO: Started (pid: 6800). 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'. 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/win.ini'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/system.ini'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\autoexec.bat'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\config.sys'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\boot.ini'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/CONFIG.NT'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/AUTOEXEC.NT'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/at.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/attrib.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/cacls.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/debug.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/drwatson.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/drwtsn32.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/edlin.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/eventcreate.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/eventtriggers.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/ftp.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/net.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/net1.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/netsh.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/rcp.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/reg.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/regedit.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regedt32.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regsvr32.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/rexec.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/rsh.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/runas.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/sc.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/subst.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/telnet.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/tftp.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/tlntsvr.exe'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/drivers/etc'. 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Documents and Settings/All Users/Start Menu/Programs/Startup'. 2014/10/12 04:16:14 ossec-agent: INFO: Started (pid: 6800). 2014/10/12 04:16:24 ossec-agent: WARN: Process locked. Waiting for permission... 2014/10/12 04:16:34 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:16:36 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:16:36 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:16:58 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:17:18 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:17:18 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:17:39 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:18:17 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:18:17 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:18:38 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:19:34 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:19:34 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:19:55 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:21:09 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:21:09 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:21:30 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:23:02 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:23:02 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:23:23 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:25:13 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:25:13 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:25:34 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:27:42 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:27:42 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:28:03 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. 2014/10/12 04:30:29 ossec-agent: INFO: Trying to connect to server (10.50.3.4:1514). 2014/10/12 04:30:30 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . 2014/10/12 04:30:51 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.50.3.4'. I have verified that the information contained in the ossec.conf and client.keys files that were copied over to the local machine is correct. Can anyone tell me why this is occurring and how to fix it? Please? Thank you for all your help, David -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
