[ossec-list] Windows Server agent not sending notifications to Linux server

Mon, 17 Aug 2020 19:42:41 -0700 

Hi all,

I am starting to use OSSEC so I may be doing something wrong here.

I have OSSEC installed as a server in my Linux VM and the Agent in my 
Windows Server 2012 VM.

My server has the default configuration plus this:

  <command>
     <name>ossec-slack</name>
     <executable>ossec-slack.sh</executable>
     <expect></expect> <!-- no expect args required -->
     <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>ossec-slack</command>
    <location>local</location>
    <level>3</level>
  </active-response>

  <remote>
    <connection>secure</connection>
  </remote>

In my Server, using the agent_control I can see my agent is *active*

[root@gateway1-proxy bin]# ./agent_control -l

OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: gateway1-proxy (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: clearing-optimizer, IP: XX.XX.X.X, Active

With that, I believe my server and agent are communicating as expected.

In my server's log, I have a lot of:

2020/08/17 19:25:18 ossec-remoted: WARN: Duplicate error:  global: 22, 
local: 7947, saved global: 22, saved local:7948
2020/08/17 19:25:18 ossec-remoted(1407): ERROR: Duplicated counter for 
'clearing-optimizer'.

I have found an old post here in this group and applied the suggestion but 
the same error appears again after a while. I have also tried removing the 
agent and adding again, with a different ID and name but again, after a 
while, the error appears.

In my agent, I have the default configuration plus this:

  <active-response>
    <disabled>no</disabled>
    <location>server</location>
    <level>3</level>
  </active-response>

So, in my understanding, this is sending any active-response event to the 
server, is that correct?

Also, another question, is there a way to trigger an event in my agent 
(Windows) so I can check if the server is receiving the notification 
correctly?

Thank you.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/010078f3-af73-4b7d-ba9c-88bf1f1694b0n%40googlegroups.com.

Reply via email to