Yes, each agent key is unique, appears to be coming from the correct ip address. Error message from log: 2014/10/13 10:15:56 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10:16:02 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10:16:06 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10:16:11 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'. 2014/10/13 10:16:17 ossec-remoted(1403): ERROR: Incorrectly formated message from 'any'.
On Sunday, October 12, 2014 5:36:07 AM UTC-5, dan (ddpbsd) wrote: > > > On Oct 12, 2014 6:28 AM, "David Masters" <dmas...@24-7intouch.com > <javascript:>> wrote: > > > > I have searched through the listings and the internet and cannot seem to > find a solution to this issue. > > > > We have approximately 3200 computers (Windows 7) that we are trying to > get configured with OSSEC. The agent is part of the image that we are > rolling out to the machines. All the machines have been added to the > server (Ubuntu 12.04.4 LTS, OSSEC server v. 2.8) via manage_agents. I have > written a script that runs via group policy that stops the ossec service, > removes the client.keys and ossec.conf files from the machine, then copies > over a new ossec.conf and client.keys file with the correct information > (server IP and client key) and restarts the ossec service. If the windows > client (v 2.8) is installed clean, it connects to the server and > communicates properly. If it is done via the group policy (utilizing the > exact same information), the following occurs (pulled from a log file on a > clean machine): > > > > Have you checked the ossec.log on the manager? > Is each agent key unique? > Are the packets making it to the manager? > So they appear to be coming from the correct ip address? > Is the manager reaponding? > Are the responses making it to the agent? > > > 2014/10/12 04:16:13 ossec-agent: Using notify time: 600 and max time to > reconnect: 1800 > > > > 2014/10/12 04:16:13 ossec-execd(1350): INFO: Active response disabled. > Exiting. > > > > 2014/10/12 04:16:13 ossec-agent(1410): INFO: Reading authentication keys > file. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: No previous counter available for > 'FRI-COMPUTER1'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Assigning counter for agent > FRI-COMPUTER1: '0:0'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Assigning sender counter: 0:179 > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:16:13 ossec-agent: Starting syscheckd thread. > > > > 2014/10/12 04:16:13 ossec-rootcheck: INFO: Started (pid: 6800). > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > Manager\KnownDLLs'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'. > > > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/win.ini'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/system.ini'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\autoexec.bat'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\config.sys'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\boot.ini'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/CONFIG.NT'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/AUTOEXEC.NT'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/at.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/attrib.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/cacls.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/debug.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drwatson.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drwtsn32.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/edlin.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/eventcreate.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/eventtriggers.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/ftp.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/net.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/net1.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/netsh.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rcp.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/reg.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/regedit.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/regedt32.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/regsvr32.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rexec.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rsh.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/runas.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/sc.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/subst.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/telnet.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/tftp.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/tlntsvr.exe'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drivers/etc'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Documents and Settings/All Users/Start Menu/Programs/Startup'. > > > > 2014/10/12 04:16:14 ossec-agent: INFO: Started (pid: 6800). > > > > 2014/10/12 04:16:24 ossec-agent: WARN: Process locked. Waiting for > permission... > > > > 2014/10/12 04:16:34 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:16:36 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:16:36 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:16:58 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:17:18 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:17:18 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:17:39 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:18:17 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:18:17 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:18:38 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:19:34 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:19:34 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:19:55 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:21:09 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:21:09 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:21:30 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:23:02 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:23:02 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:23:23 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:25:13 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:25:13 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:25:34 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:27:42 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:27:42 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:28:03 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > 2014/10/12 04:30:29 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > > > 2014/10/12 04:30:30 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > > > 2014/10/12 04:30:51 ossec-agent(4101): WARN: Waiting for server reply > (not started). Tried: '10.50.3.4'. > > > > > > > > I have verified that the information contained in the ossec.conf and > client.keys files that were copied over to the local machine is correct. > > > > Can anyone tell me why this is occurring and how to fix it? Please? > > > > Thank you for all your help, > > David > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
