Just note that there is no magic here - it does not work because your automated way does not 100% replicate the manual way (how to add an agent / the client.keys / the ossec.conf / the agent installation...) My guess is that the key file is not created correctly - preventing the client-server to communicate. I suggest you to verify with a text editor that display all special characters or a diff program.
I also suggest to break the troubleshooting into pieces - automating the first phase (for example agents installation) and continuing manually. Then progressing until 100% of the process is automated. On Sunday, October 12, 2014 2:34:03 AM UTC-7, David Masters wrote: > > I have searched through the listings and the internet and cannot seem to > find a solution to this issue. > > We have approximately 3200 computers (Windows 7) that we are trying to get > configured with OSSEC. The agent is part of the image that we are rolling > out to the machines. All the machines have been added to the server > (Ubuntu 12.04.4 LTS, OSSEC server v. 2.8) via manage_agents. I have > written a script that runs via group policy that stops the ossec service, > removes the client.keys and ossec.conf files from the machine, then copies > over a new ossec.conf and client.keys file with the correct information > (server IP and client key) and restarts the ossec service. If the windows > client (v 2.8) is installed clean, it connects to the server and > communicates properly. If it is done via the group policy (utilizing the > exact same information), the following occurs (pulled from a log file on a > clean machine): > > 2014/10/12 04:16:13 ossec-agent: Using notify time: 600 and max time to > reconnect: 1800 > > 2014/10/12 04:16:13 ossec-execd(1350): INFO: Active response disabled. > Exiting. > > 2014/10/12 04:16:13 ossec-agent(1410): INFO: Reading authentication keys > file. > > 2014/10/12 04:16:13 ossec-agent: INFO: No previous counter available for > 'FRI-COMPUTER1'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Assigning counter for agent > FRI-COMPUTER1: '0:0'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Assigning sender counter: 0:179 > > 2014/10/12 04:16:13 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:16:13 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:16:13 ossec-agent: Starting syscheckd thread. > > 2014/10/12 04:16:13 ossec-rootcheck: INFO: Started (pid: 6800). > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > Manager\KnownDLLs'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'. > > 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/win.ini'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/system.ini'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\autoexec.bat'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\config.sys'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\boot.ini'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/CONFIG.NT'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/AUTOEXEC.NT'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/at.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/attrib.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/cacls.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/debug.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drwatson.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drwtsn32.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/edlin.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/eventcreate.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/eventtriggers.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/ftp.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/net.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/net1.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/netsh.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rcp.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/reg.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/regedit.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/regedt32.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/regsvr32.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rexec.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rsh.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/runas.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/sc.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/subst.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/telnet.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/tftp.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/tlntsvr.exe'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drivers/etc'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: 'C:\Documents > and Settings/All Users/Start Menu/Programs/Startup'. > > 2014/10/12 04:16:14 ossec-agent: INFO: Started (pid: 6800). > > 2014/10/12 04:16:24 ossec-agent: WARN: Process locked. Waiting for > permission... > > 2014/10/12 04:16:34 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:16:36 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:16:36 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:16:58 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:17:18 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:17:18 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:17:39 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:18:17 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:18:17 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:18:38 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:19:34 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:19:34 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:19:55 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:21:09 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:21:09 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:21:30 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:23:02 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:23:02 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:23:23 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:25:13 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:25:13 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:25:34 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:27:42 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:27:42 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:28:03 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > 2014/10/12 04:30:29 ossec-agent: INFO: Trying to connect to server ( > 10.50.3.4:1514). > > 2014/10/12 04:30:30 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . > > 2014/10/12 04:30:51 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.50.3.4'. > > > > I have verified that the information contained in the ossec.conf and > client.keys files that were copied over to the local machine is correct. > > Can anyone tell me why this is occurring and how to fix it? Please? > > Thank you for all your help, > David > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.