That file is definitely required, though I am not sure it has anything to do with the agent connecting in.
You showed earlier connections on port 1514 from the devices in question right? Does the ossec.log note any issues with those devices? for what it is worth, here is a sender_counter file from an active working lab install silly-lab-box:/var/ossec/queue/rids# pwd /var/ossec/queue/rids silly-lab-box:/var/ossec/queue/rids# date Fri Oct 17 19:06:38 UTC 2014 silly-lab-box:/var/ossec/queue/rids# ls -lahrt total 28K drwxrwx--- 11 ossec ossec 4.0K Dec 7 2013 .. drwxrwx--- 2 ossec ossec 4.0K Sep 23 18:26 . -rw-r--r-- 1 ossecr ossec 8 Oct 17 15:19 4 -rwxrwx--- 1 ossec ossec 8 Oct 17 19:03 3 -rwxrwx--- 1 ossec ossec 16 Oct 17 19:06 sender_counter -rwxrwx--- 1 ossec ossec 10 Oct 17 19:06 2 -rwxrwx--- 1 ossec ossec 10 Oct 17 19:06 001 silly-lab-box:/var/ossec/queue/rids# more sender_counter 81:5072:70:4350: Grant Leonard Castra Consulting, LLC <http://castraconsulting.com/#/> 919-949-4002 On Fri, Oct 17, 2014 at 2:52 PM, David Masters <dmast...@24-7intouch.com> wrote: > I got most everything to work except at one site. After looking through > everything on that server, I noticed that the sender_counter file is > missing from rids directory. I know that keeps track/count of > something...could that be what's causing some of my agents to not be able > to connect? > > On Sunday, October 12, 2014 4:34:03 AM UTC-5, David Masters wrote: >> >> I have searched through the listings and the internet and cannot seem to >> find a solution to this issue. >> >> We have approximately 3200 computers (Windows 7) that we are trying to >> get configured with OSSEC. The agent is part of the image that we are >> rolling out to the machines. All the machines have been added to the >> server (Ubuntu 12.04.4 LTS, OSSEC server v. 2.8) via manage_agents. I have >> written a script that runs via group policy that stops the ossec service, >> removes the client.keys and ossec.conf files from the machine, then copies >> over a new ossec.conf and client.keys file with the correct information >> (server IP and client key) and restarts the ossec service. If the windows >> client (v 2.8) is installed clean, it connects to the server and >> communicates properly. If it is done via the group policy (utilizing the >> exact same information), the following occurs (pulled from a log file on a >> clean machine): >> >> 2014/10/12 04:16:13 ossec-agent: Using notify time: 600 and max time to >> reconnect: 1800 >> >> 2014/10/12 04:16:13 ossec-execd(1350): INFO: Active response disabled. >> Exiting. >> >> 2014/10/12 04:16:13 ossec-agent(1410): INFO: Reading authentication keys >> file. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: No previous counter available for >> 'FRI-COMPUTER1'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Assigning counter for agent >> FRI-COMPUTER1: '0:0'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Assigning sender counter: 0:179 >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:16:13 ossec-agent: Starting syscheckd thread. >> >> 2014/10/12 04:16:13 ossec-rootcheck: INFO: Started (pid: 6800). >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Policies'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Security'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session >> Manager\KnownDLLs'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ >> SecurePipeServers\winreg'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'. >> >> 2014/10/12 04:16:13 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Windows'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Winlogon'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed >> Components'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/win.ini'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/system.ini'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\autoexec.bat'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\config.sys'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\boot.ini'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/CONFIG.NT'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/AUTOEXEC.NT'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/at.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/attrib.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/cacls.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/debug.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/drwatson.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/drwtsn32.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/edlin.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/eventcreate.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/eventtriggers.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/ftp.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/net.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/net1.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/netsh.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/rcp.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/reg.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/regedit.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/regedt32.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/regsvr32.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/rexec.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/rsh.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/runas.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/sc.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/subst.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/telnet.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/tftp.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/tlntsvr.exe'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Windows/System32/drivers/etc'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Monitoring directory: >> 'C:\Documents and Settings/All Users/Start Menu/Programs/Startup'. >> >> 2014/10/12 04:16:14 ossec-agent: INFO: Started (pid: 6800). >> >> 2014/10/12 04:16:24 ossec-agent: WARN: Process locked. Waiting for >> permission... >> >> 2014/10/12 04:16:34 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:16:36 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:16:36 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:16:58 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:17:18 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:17:18 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:17:39 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:18:17 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:18:17 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:18:38 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:19:34 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:19:34 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:19:55 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:21:09 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:21:09 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:21:30 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:23:02 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:23:02 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:23:23 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:25:13 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:25:13 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:25:34 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:27:42 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:27:42 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:28:03 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> 2014/10/12 04:30:29 ossec-agent: INFO: Trying to connect to server ( >> 10.50.3.4:1514). >> >> 2014/10/12 04:30:30 ossec-agent: INFO: Using IPv4 for: 10.50.3.4 . >> >> 2014/10/12 04:30:51 ossec-agent(4101): WARN: Waiting for server reply >> (not started). Tried: '10.50.3.4'. >> >> >> >> I have verified that the information contained in the ossec.conf and >> client.keys files that were copied over to the local machine is correct. >> >> Can anyone tell me why this is occurring and how to fix it? Please? >> >> Thank you for all your help, >> David >> > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/Zmfag8ajU3s/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
