[ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

 

Hi Eero,

 

Thank you for your reply but no Joy.

All the hosts have the firewall deactivated.

 

Best regards,

Reinaldo 


terça-feira, 3 de Novembro de 2015 às 12:11:10 UTC, Reinaldo Fernandes 
escreveu:
>
> Hello,
>
>  
>
> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec 
> solution
>
> I have been trying to deploy this on our environment ( Windows mainly) but 
> the agent it’s not able to communicate with the Ossec server (They are both 
> on the same VLAN, no firewall between).
>
>  
>
> *This is the error: *
>
>  
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (
> 172.20.21.43:1514).
>
>  
>
> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
>
>  
>
> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply (not 
> started). Tried: '172.20.21.43'.
>
>  
>
> *When I try to look up at the logs on the Ossec server this is the only 
> info that I got:*
>
>  
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>  
>
> Any clue or tip on how to solve this situation?
>
>  
>
> *Reinaldo Fernandes*
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Hey dan,















*this is the result:root@ossec user]# /var/ossec/bin/ossec-control 
statusossec-monitord not running...ossec-logcollector: Process 2000 not 
used by ossec, removing ..ossec-logcollector not running...ossec-remoted: 
Process 2005 not used by ossec, removing ..ossec-remoted not 
running...ossec-syscheckd not running...ossec-analysisd: Process 1996 not 
used by ossec, removing ..ossec-analysisd not running...ossec-maild not 
running...ossec-execd is running...ossec-csyslogd is running...*

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

*2015/11/04 08:26:11 1 : rule:1003, level 13, timeout: 02015/11/04 08:26:11 
1 : rule:40104, level 13, timeout: 02015/11/04 08:26:11 1 : rule:40105, 
level 12, timeout: 02015/11/04 08:26:11 1 : rule:40106, level 12, timeout: 
02015/11/04 08:26:11 1 : rule:40109, level 12, timeout: 02015/11/04 
08:26:11 1 : rule:2301, level 10, timeout: 02015/11/04 08:26:11 1 : 
rule:2502, level 10, timeout: 02015/11/04 08:26:11 2 : rule:40111, level 
10, timeout: 02015/11/04 08:26:11 1 : rule:2504, level 9, timeout: 
02015/11/04 08:26:11 1 : rule:7101, level 8, timeout: 02015/11/04 08:26:11 
1 : rule:5901, level 8, timeout: 02015/11/04 08:26:11 2 : rule:40501, level 
15, timeout: 02015/11/04 08:26:11 1 : rule:5902, level 8, timeout: 
02015/11/04 08:26:11 2 : rule:40501, level 15, timeout: 02015/11/04 
08:26:11 1 : rule:5904, level 8, timeout: 02015/11/04 08:26:11 2 : 
rule:40501, level 15, timeout: 02015/11/04 08:26:11 1 : rule:12110, level 
8, timeout: 02015/11/04 08:26:11 1 : rule:12111, level 8, timeout: 
02015/11/04 08:26:11 1 : rule:18128, level 8, timeout: 02015/11/04 08:26:11 
1 : rule:1007, level 7, timeout: 02015/11/04 08:26:11 1 : rule:30200, level 
6, timeout: 02015/11/04 08:26:11 2 : rule:30201, level 6, timeout: 
02015/11/04 08:26:11 3 : rule:30202, level 10, timeout: 02015/11/04 
08:26:11 1 : rule:5604, level 5, timeout: 02015/11/04 08:26:11 1 : 
rule:1004, level 5, timeout: 02015/11/04 08:26:11 1 : rule:1005, level 5, 
timeout: 02015/11/04 08:26:11 1 : rule:1006, level 5, timeout: 02015/11/04 
08:26:11 1 : rule:1008, level 5, timeout: 02015/11/04 08:26:11 1 : 
rule:2501, level 5, timeout: 02015/11/04 08:26:11 2 : rule:40111, level 10, 
timeout: 02015/11/04 08:26:11 1 : rule:2503, level 5, timeout: 02015/11/04 
08:26:11 1 : rule:14101, level 5, timeout: 02015/11/04 08:26:11 2 : 
rule:40111, level 10, timeout: 02015/11/04 08:26:11 2 : rule:14151, level 
9, timeout: 02015/11/04 08:26:11 1 : rule:5553, level 4, timeout: 
02015/11/04 08:26:11 1 : rule:5554, level 4, timeout: 02015/11/04 08:26:11 
1 : rule:2103, level 4, timeout: 02015/11/04 08:26:11 1 : rule:12112, level 
4, timeout: 02015/11/04 08:26:11 1 : rule:51524, level 4, timeout: 
02015/11/04 08:26:11 1 : rule:, level 3, timeout: 02015/11/04 08:26:11 
1 : rule:2505, level 3, timeout: 02015/11/04 08:26:11 1 : rule:2506, level 
3, timeout: 02015/11/04 08:26:11 1 : rule:13112, level 3, timeout: 
02015/11/04 08:26:11 1 : rule:51531, level 3, timeout: 02015/11/04 08:26:11 
1 : rule:1001, level 2, timeout: 02015/11/04 08:26:11 1 : rule:1002, level 
2, timeout: 02015/11/04 08:26:11 2 : rule:1009, level 0, timeout: 
02015/11/04 08:26:11 1 : rule:5903, level 2, timeout: 02015/11/04 08:26:11 
2 : rule:40501, level 15, timeout: 02015/11/04 08:26:11 0 : rule:2, level 
0, timeout: 02015/11/04 08:26:11 1 : rule:4100, level 0, timeout: 
02015/11/04 08:26:11 2 : rule:4101, level 5, timeout: 02015/11/04 08:26:11 
3 : rule:4151, level 10, timeout: 2402015/11/04 08:26:11 0 : rule:3, level 
0, timeout: 02015/11/04 08:26:11 1 : rule:20100, level 8, timeout: 
02015/11/04 08:26:11 2 : rule:20102, level 0, timeout: 02015/11/04 08:26:11 
2 : rule:20103, level 0, timeout: 02015/11/04 08:26:11 1 : rule:20101, 
level 6, timeout: 02015/11/04 08:26:11 2 : rule:20102, level 0, timeout: 
02015/11/04 08:26:11 2 : rule:20103, level 0, timeout: 02015/11/04 08:26:11 
2 : rule:20152, level 10, timeout: 902015/11/04 08:26:11 3 : rule:20162, 
level 11, timeout: 02015/11/04 08:26:11 2 : rule:20151, level 10, timeout: 
902015/11/04 08:26:11 3 : rule:20161, level 11, timeout: 02015/11/04 
08:26:11 0 : rule:4, level 0, timeout: 02015/11/04 08:26:11 1 : rule:31100, 
level 0, timeout: 02015/11/04 08:26:11 2 : rule:31108, level 0, timeout: 
02015/11/04 08:26:11 3 : rule:31509, level 3, timeout: 02015/11/04 08:26:11 
4 : rule:31510, level 8, timeout: 02015/11/04 08:26:11 2 : rule:31115, 
level 13, timeout: 02015/11/04 08:26:11 2 : rule:31103, level 6, timeout: 
02015/11/04 08:26:11 3 : rule:31107, level 0, timeout: 02015/11/04 08:26:11 
3 : rule:31152, level 10, timeout: 02015/11/04 08:26:11 3 : rule:31106, 
level 6, timeout: 02015/11/04 08:26:11 2 : rule:31104, level 6, timeout: 
02015/11/04 08:26:11 3 : rule:31107, level 0, timeout: 02015/11/04 08:26:11 
3 : rule:31153, level 10, timeout: 02015/11/04 08:26:11 3 : rule:31106, 
level 6, timeout: 02015/11/04 08:26:11 2 : rule:31105, level 6, timeout: 
02015/11/04 08:26:11 3 : rule:31107, level 0, timeout: 02015/11/04 08:26:11 
3 : rule:31154, level 10, timeout: 

[ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Hi Ryan,

I have removed the /24 but still having the same issue.

Best regards,
Reinaldo 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

*Hi Dan,*

s -ld /var/ossec/queue/fts
drwxr-x---. 2 user ossec 4096 Aug 12  2014 /var/ossec/queue/fts

I have a windows server 2012 R2 (Main host) with Ossec installed on as a 
virtualbox host.  
The version is Ossec-vm-2.8.2.

Best regards,
Reinaldo 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

I think this is disabled already:

 SELINUX= can take one of these three values:
#   enforcing - SELinux security policy is enforced.
#   permissive - SELinux prints warnings instead of enforcing.
#   disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#   targeted - Only targeted network daemons are protected.
#   strict - Full SELinux protection.
SELINUXTYPE=targeted
~

> *Reinaldo Fernandes* 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

*Any ideas?I'm still having this issue which is really strange. I thought 
it could happen with a host in a different VLAn but this is not the case. *

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[dan (ddp)]

On Nov 3, 2015 10:13 AM, "Reinaldo Fernandes" 
wrote:
>
> Hi Eero,
>
>
>
> Thank you for your reply but no Joy.
>
> All the hosts have the firewall deactivated.
>

Any luck finding any more info in the ossec.log file? Maybe just look for
stray parentheses in the ossec.conf.

>
>
> Best regards,
>
> Reinaldo
>
>
>
> terça-feira, 3 de Novembro de 2015 às 12:11:10 UTC, Reinaldo Fernandes
escreveu:
>>
>> Hello,
>>
>>
>>
>> My name is Reinaldo Fernandes and I’m contacting you regarding the Ossec
solution
>>
>> I have been trying to deploy this on our environment ( Windows mainly)
but the agent it’s not able to communicate with the Ossec server (They are
both on the same VLAN, no firewall between).
>>
>>
>>
>> This is the error:
>>
>>
>>
>> 2015/11/03 10:44:47 ossec-agent: INFO: Trying to connect to server (
172.20.21.43:1514).
>>
>>
>>
>> 2015/11/03 10:44:47 ossec-agent: INFO: Using IPv4 for: 172.20.21.43 .
>>
>>
>>
>> 2015/11/03 10:45:09 ossec-agent(4101): WARN: Waiting for server reply
(not started). Tried: '172.20.21.43'.
>>
>>
>>
>> When I try to look up at the logs on the Ossec server this is the only
info that I got:
>>
>>
>>
>> [root@ossec user]# /var/ossec/logs/ossec.log
>>
>> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>>
>> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>>
>>
>>
>> Any clue or tip on how to solve this situation?
>>
>>
>>
>> Reinaldo Fernandes
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Hi dan,

Sorry but I'm getting a acces denied when I try to run the following 
command:
tail -F /var/ossec/logs/ossec.log

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[dan (ddp)]

On Nov 3, 2015 10:28 AM, "Reinaldo Fernandes" 
wrote:
>
> Hi dan,
>
> Sorry but I'm getting a acces denied when I try to run the following
command:
> tail -F /var/ossec/logs/ossec.log
>

You may need to use sudo to access the file. And a `tail -f` will only show
new entries (which will be fine if you restart the processes while tailing
the file).

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Hi dan,
I did now:
sudo /var/ossec/logs/ossec.log

and I got exactly the same entrys on the logs as before:

[root@ossec user]# /var/ossec/logs/ossec.log

/var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('

/var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36 
ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[dan (ddp)]

On Tue, Nov 3, 2015 at 10:40 AM, Reinaldo Fernandes
 wrote:
> Hi dan,
> I did now:
> sudo /var/ossec/logs/ossec.log
>
> and I got exactly the same entrys on the logs as before:
>


Those are really weird. Do you have any stray "(" in your ossec.conf file?

> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Eero Volotinen]

Are you trying to execute log file?

You need to run sudo tail filename, not sudo filename

Eero
3.11.2015 5.40 ip. "Reinaldo Fernandes" 
kirjoitti:

> Hi dan,
> I did now:
> sudo /var/ossec/logs/ossec.log
>
> and I got exactly the same entrys on the logs as before:
>
> [root@ossec user]# /var/ossec/logs/ossec.log
>
> /var/ossec/logs/ossec.log: line 1: syntax error near unexpected token `('
>
> /var/ossec/logs/ossec.log: line 1: `2015/06/12 15:52:36
> ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...'
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Can you provide me the correct command to run??
Thank you

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Eero Volotinen]

sudo tail -f /path/to/filename

Eero
3.11.2015 6.26 ip. "Reinaldo Fernandes" 
kirjoitti:

>
> Can you provide me the correct command to run??
> Thank you
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

This is the logs result:


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

*I'm not sure about this 127.0.0.1 IP..Should it be the IP of ossec 
server?If yes it should be 172.20.21.200.*
quarta-feira, 4 de Novembro de 2015 às 09:21:30 UTC, Reinaldo Fernandes 
escreveu:
>
> This is the logs result:
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Guilherme Boing]

The part where you see 127.0.0.1 is the log collector checking if is there
any new open port on netstat that wasn't open before...
Also, if you are root, you don't need to be using sudo.

On the first email the ossec server was 172.20.21.43, and now you are
saying that it should be 172.20.21.200...
Make sure the server is properly configured on /var/ossec/etc/ossec.conf
(172.20.21.200)

On Wed, Nov 4, 2015 at 7:23 AM, Reinaldo Fernandes <
fernandes.jreina...@gmail.com> wrote:

>
>
> *I'm not sure about this 127.0.0.1 IP..Should it be the IP of ossec
> server?If yes it should be 172.20.21.200.*
>
> quarta-feira, 4 de Novembro de 2015 às 09:21:30 UTC, Reinaldo Fernandes
> escreveu:
>>
>> This is the logs result:
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Hi Guilherme,
We had to change the ip of the server to .200, but we did the change on the 
agent also.
When I try to access the path that you provide me a got the following error.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

I don't see any 172.20.21.43 or 200 IP on my config file.
Those are the only fields with ip's:




-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Guilherme Boing]

Did you install it as an agent or as a server ?

$ head -n 4 /var/ossec/etc/ossec.conf

  
192.168.20.164
  

This is in every server that I have an agent running on. All the servers
are pointing the ossec to the ossec server-ip (192.168.20.164 in my case).

I suggest you to reinstall ossec and make sure that you set it up as an
agent (if that is the case).

On Wed, Nov 4, 2015 at 8:06 AM, Reinaldo Fernandes <
fernandes.jreina...@gmail.com> wrote:

> I don't see any 172.20.21.43 or 200 IP on my config file.
> Those are the only fields with ip's:
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

I thought you were talking about the server config.
On the agent I got the following:


   
  172.20.21.200
   
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

But I'm still receving the following error:

2015/11/04 10:34:50 ossec-agent: INFO: Trying to connect to server 
(172.20.21.200:1514).

2015/11/04 10:34:50 ossec-agent: INFO: Using IPv4 for: 172.20.21.200 .

2015/11/04 10:35:12 ossec-agent(4101): WARN: Waiting for server reply (not 
started). Tried: '172.20.21.200'.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Guilherme Boing]

I don't see any errors... this is just a warning.
(Re)start the ossec service and see if it works.

On Wed, Nov 4, 2015 at 8:37 AM, Reinaldo Fernandes <
fernandes.jreina...@gmail.com> wrote:

> But I'm still receving the following error:
>
> 2015/11/04 10:34:50 ossec-agent: INFO: Trying to connect to server (
> 172.20.21.200:1514).
>
> 2015/11/04 10:34:50 ossec-agent: INFO: Using IPv4 for: 172.20.21.200 .
>
> 2015/11/04 10:35:12 ossec-agent(4101): WARN: Waiting for server reply (not
> started). Tried: '172.20.21.200'.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Shouldn't I receive a connected successfully instead of this warnig?

I found this and it's says that the agent is having issues to connect to 
the server:

*The following log messages may appear in the ossec.log file on an agent 
when it is having issues connecting to a manager:*

2011/11/13 18:05:13 ossec-agent: WARN: Process locked. Waiting for 
permission...2011/11/13 18:05:24 ossec-agent(4101): WARN: Waiting for server 
reply (not started). Tried: '10.10.134.241'.2011/11/13 18:05:26 ossec-agent: 
INFO: Trying to connect to server (10.10.134.241:1514).2011/11/13 18:05:26 
ossec-agent: INFO: Using IPv4 for: 10.10.134.241 .2011/11/13 18:05:47 
ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 
'10.10.134.241'.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

How do i know if an agent is being monitored by the ossec server?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Eero Volotinen]

Well, you said that server is located at .200. It isn't according this log .
4.11.2015 12.58 ip. "Reinaldo Fernandes" 
kirjoitti:

> Shouldn't I receive a connected successfully instead of this warnig?
>
> I found this and it's says that the agent is having issues to connect to
> the server:
>
> *The following log messages may appear in the ossec.log file on an agent
> when it is having issues connecting to a manager:*
>
> 2011/11/13 18:05:13 ossec-agent: WARN: Process locked. Waiting for 
> permission...2011/11/13 18:05:24 ossec-agent(4101): WARN: Waiting for server 
> reply (not started). Tried: '10.10.134.241'.2011/11/13 18:05:26 ossec-agent: 
> INFO: Trying to connect to server (10.10.134.241:1514).2011/11/13 18:05:26 
> ossec-agent: INFO: Using IPv4 for: 10.10.134.241 .2011/11/13 18:05:47 
> ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 
> '10.10.134.241'.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Guilherme Boing]

If both agent and server are properly configured and running ossec, if they
cannot connect to each other, you have a network issue.
In order to list the agents monitored by the ossec server, see
http://ossec-docs.readthedocs.org/en/latest/programs/list_agents.html



On Wed, Nov 4, 2015 at 8:58 AM, Reinaldo Fernandes <
fernandes.jreina...@gmail.com> wrote:

> Shouldn't I receive a connected successfully instead of this warnig?
>
> I found this and it's says that the agent is having issues to connect to
> the server:
>
> *The following log messages may appear in the ossec.log file on an agent
> when it is having issues connecting to a manager:*
>
> 2011/11/13 18:05:13 ossec-agent: WARN: Process locked. Waiting for 
> permission...2011/11/13 18:05:24 ossec-agent(4101): WARN: Waiting for server 
> reply (not started). Tried: '10.10.134.241'.2011/11/13 18:05:26 ossec-agent: 
> INFO: Trying to connect to server (10.10.134.241:1514).2011/11/13 18:05:26 
> ossec-agent: INFO: Using IPv4 for: 10.10.134.241 .2011/11/13 18:05:47 
> ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: 
> '10.10.134.241'.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

This log it's not mine Eero,
I used to shown as an example of article that I found on google.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

this is what I got when I try to see the list of agents.
So I suppose that my agent it's not connected.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

And this is my agent failure connection:


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Guilherme Boing]

Did you register your agent and import the key from the server into the
agent ?

On Wed, Nov 4, 2015 at 9:23 AM, Reinaldo Fernandes <
fernandes.jreina...@gmail.com> wrote:

> this is what I got when I try to see the list of agents.
> So I suppose that my agent it's not connected.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Yes I do..
I can remove and add the agent again.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Reinaldo Fernandes]

Any ideas?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[dan (ddp)]

On Wed, Nov 4, 2015 at 6:23 AM, Reinaldo Fernandes
 wrote:
>
> this is what I got when I try to see the list of agents.
> So I suppose that my agent it's not connected.
>

Doesn't look like it.
run: `/var/ossec/bin/ossec-control status` on the manager.

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[dan (ddp)]

On Nov 4, 2015 11:08 AM, "Reinaldo Fernandes" 
wrote:
>
> Hey dan,
> this is the result:
>
> root@ossec user]# /var/ossec/bin/ossec-control status
> ossec-monitord not running...
> ossec-logcollector: Process 2000 not used by ossec, removing ..
> ossec-logcollector not running...
> ossec-remoted: Process 2005 not used by ossec, removing ..
> ossec-remoted not running...
> ossec-syscheckd not running...
> ossec-analysisd: Process 1996 not used by ossec, removing ..
> ossec-analysisd not running...
> ossec-maild not running...
> ossec-execd is running...
> ossec-csyslogd is running...
>

So a bunch of the processes aren't running. Let's figure out why. Try:
`/var/ossec/bin/ossec-analysisd -df`

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[dan (ddp)]

On Nov 4, 2015 11:27 AM, "Reinaldo Fernandes" 
wrote:
>
>
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Total rules enabled: '1310'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'/etc/hosts.deny'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'/etc/mail/statistics'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'/etc/random-seed'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'/etc/httpd/logs'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'/etc/cups/certs'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'/etc/svc/volatile'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/System32/LogFiles'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/Debug'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/WindowsUpdate.log'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/iis6.log'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/wbem/Logs'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/wbem/Repository'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/Prefetch'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/SoftwareDistribution'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/Temp'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/config'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/spool'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/CatRoot'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Chrooted to directory:
/var/ossec, using user: ossec
> 2015/11/04 08:26:11 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: White listing IP: '75.75.75.75'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: White listing IP: '75.75.76.76'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: 3 IPs in the white list for
active response.
> 2015/11/04 08:26:11 ossec-analysisd: INFO: White listing Hostname:
'localhost.localdomain'
> 2015/11/04 08:26:11 ossec-analysisd: INFO: 1 Hostname(s) in the white
list for active response.
> 2015/11/04 08:26:11 ossec-analysisd: INFO: Started (pid: 3564).
> 2015/11/04 08:26:11 ossec-analysisd: SyscheckInit completed.
> 2015/11/04 08:26:11 ossec-analysisd: RootcheckInit completed.
> 2015/11/04 08:26:11 ossec-analysisd(1103): ERROR: Unable to open file
'/queue/fts/hostinfo'.

​Does /var/ossec/queue/fts exist? What are the permissions?
`ls -ld /var/ossec/queue/fts`

How did you install OSSEC? What version are you running?​


> 2015/11/04 08:26:11 ossec-analysisd: OS_CreateEventList completed.
> 2015/11/04 08:26:11 ossec-analysisd(1103): ERROR: Unable to open file
'/queue/fts/fts-queue'.
> 2015/11/04 08:26:11 ossec-analysisd(1260): ERROR: Error initiating FTS
list
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[Ryan Schulze]

Are you sure you added the agent right on the master; why is there a 
netmask in the IP field (it should be 172.20.21.39 not 172.20.21.39/24)?


On 11/4/2015 5:26 AM, Reinaldo Fernandes wrote:

And this is my agent failure connection:


--

---
You received this message because you are subscribed to the Google 
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to ossec-list+unsubscr...@googlegroups.com 
.

For more options, visit https://groups.google.com/d/optout.


--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ossec-list] Re: Ossec agent error

[Guilherme Boing]

Maybe you could try disabling selinux

On Thu, Nov 5, 2015 at 8:03 AM, Reinaldo Fernandes <
fernandes.jreina...@gmail.com> wrote:

> *Hi Dan,*
>
> s -ld /var/ossec/queue/fts
> drwxr-x---. 2 user ossec 4096 Aug 12  2014 /var/ossec/queue/fts
>
> I have a windows server 2012 R2 (Main host) with Ossec installed on as a
> virtualbox host.
> The version is Ossec-vm-2.8.2.
>
> Best regards,
> Reinaldo
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Ossec agent error

[dan (ddp)]

On Thu, Nov 5, 2015 at 5:03 AM, Reinaldo Fernandes
 wrote:
> Hi Dan,
>
> s -ld /var/ossec/queue/fts
> drwxr-x---. 2 user ossec 4096 Aug 12  2014 /var/ossec/queue/fts
>

This should be owned by ossec: `sudo chown -R ossec /var/ossec/queue/fts`

> I have a windows server 2012 R2 (Main host) with Ossec installed on as a
> virtualbox host.
> The version is Ossec-vm-2.8.2.
>
> Best regards,
> Reinaldo
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: ossec-agent: Error waiting mutex (timeout)

[Joshua Gimer]

What does strace show if you attach to the agent process?

strace -p "PID of Agent" -s 100

On Mon, Oct 26, 2009 at 12:16 PM, Mandy  wrote:
>
> ossec-agent: Error waiting mutex (timeout)
>
> I'm seeing this error about every two minutes in the agent logs.  Port
> 1514 is open and the agent can ping the server just fine.  I've tried
> to do some research, but have found nothing.  Does anyone know what I
> should be checking to solve this problem?
>



-- 
Thx
Joshua Gimer

[ossec-list] Re: ossec-agent: Error waiting mutex (timeout)

[Tony Fischer]

For more background information...
We're running the agent on a Windows XP machine.
The manager is an Ubuntu 8.04 LTS machine.
The agent and the manager are connecting through a VPN tunnel that has
no restrictions placed on it in regards to traffic flow.
The agent's ossec.conf file is default from a 2.2 installation. The
manager is running a bone stock configuration as well.
We're not seeing any signs that the VPN connection is dropping on
either the manager or the agent.
We're working on getting StraceNT on the XP box so that we can provide
the requested information.

--
Tony

[ossec-list] Re: ossec-agent: Error waiting mutex (timeout)

[Mandy]

Please see the windows stack below.  We didn't see this problem for a
while.  Now it appears to be happening again.  Thanks in advance for
the help.

[T1804] GetFileType(ad4, 455d91, 2, 0, ...) = 1
[T1804] LeaveCriticalSection(3e2028, f0ccd0, 77c2f613, 7, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd04, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 77c5fd60, f0cd08, 77c3b900, ...)
= 0
[T1804] HeapAlloc(3e, 0, 1000, 77c5fd60, ...) = 9e3710
[T1804] EnterCriticalSection(3e2028, 77c62440, fc, 7, ...) = 0
[T1804] SetFilePointer(ad4, 0, 0, 2, ...) = 10d2a6
[T1804] LeaveCriticalSection(3e2028, f0ca48, 77c2f03d, 7, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd04, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 77c5fd60, f0cd18, 77c3b900, ...)
= 0
[T1804] LeaveCriticalSection(3e6900, f0cd14, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 1a, f0cd20, 77c3b900, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd1c, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 0, f0cd20, 77c3b900, ...) = 0
[T1804] EnterCriticalSection(3e2028, 77c62440, fc, 7, ...) = 0
[T1804] SetFilePointer(ad4, 0, f0c868, 2, ...) = 10d2a6
[T1804] WriteFile(ad4, f0c8ac, 42, f0c890, ...) = 1
[T1804] LeaveCriticalSection(3e2028, f0ccf0, 77c30390, 7, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd1c, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 77c5fd60, f0cd20, 77c3b900, ...)
= 0
[T1804] HeapFree(3e, 0, 9e3710, 0, ...) = 1
[T1804] EnterCriticalSection(3e2028, 77c62440, fc, 7, ...) = 0
[T1804] CloseHandle(ad4, 77c62440, fc, f0cd04, ...) = 1
[T1804] LeaveCriticalSection(3e2028, f0cd04, 77c2d154, 7, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd1c, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(77c61b90, 77c5fcc0, f0cd08,
77c3b900, ...) = 0
[T1804] LeaveCriticalSection(77c61b90, f0cd04, 77c3b967, 12, ...) = 0
[T1804] EnterCriticalSection(77c61b90, 77c5fcc0, f0cd18,
77c3b900, ...) = 0
[T1804] LeaveCriticalSection(77c61b90, f0cd14, 77c3b967, 12, ...) = 0
[T1804] EnterCriticalSection(77c61b90, 1a, f0cd20, 77c3b900, ...) = 0
[T1804] LeaveCriticalSection(77c61b90, f0cd1c, 77c3b967, 12, ...) = 0
[T1804] Sleep(1388, 45f8f5, 1f27f8a3, fa034f3e, ...) = 0
[T1804] WaitForSingleObject(ac, 186a0, 1f27f8a3, fa034f3e, ...) = 102
[T1804] GetSystemTimeAsFileTime(f0cd4c, b7, b7, f0ce94, ...) = 1ca6e26
[T1804] GetLastError(630065, 4b0dbd8f, 77c4aa6d, 630065, ...) = b7
[T1804] TlsGetValue(3, 630065, 4b0dbd8f, 77c4aa6d, ...) = 3e6158
[T1804] SetLastError(b7, 630065, 4b0dbd8f, 77c4aa6d, ...) = 7ffdc000
[T1804] EnterCriticalSection(77c61a70, 61002d, f0cd0c, 77c42db6, ...)
= 0
[T1804] EnterCriticalSection(3e6900, 7, f0ccd0, 77c3b92a, ...) = 0
[T1804] LeaveCriticalSection(77c61a70, f0cd0c, 77c42ebc, 1, ...) = 0
[T1804] EnterCriticalSection(3e36e8, 80, f0cc54, 77c2e584, ...) = 0
[T1804] EnterCriticalSection(3e2028, 100, 80, 3, ...) = 0
[T1804] LeaveCriticalSection(3e36e8, f0cc54, 77c2e6a5, b, ...) = 0
[T1804] CreateFileA(f0cd78, 4000, 3, f0cc68, ...) = ad4
[T1804] GetFileType(ad4, 455d91, 2, 0, ...) = 1
[T1804] LeaveCriticalSection(3e2028, f0ccd0, 77c2f613, 7, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd04, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 77c5fd60, f0cd08, 77c3b900, ...)
= 0
[T1804] HeapAlloc(3e, 0, 1000, 77c5fd60, ...) = 9e3710
[T1804] EnterCriticalSection(3e2028, 77c62440, fc, 7, ...) = 0
[T1804] SetFilePointer(ad4, 0, 0, 2, ...) = 10d2e8
[T1804] LeaveCriticalSection(3e2028, f0ca48, 77c2f03d, 7, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd04, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 77c5fd60, f0cd18, 77c3b900, ...)
= 0
[T1804] LeaveCriticalSection(3e6900, f0cd14, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 1c, f0cd20, 77c3b900, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd1c, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 0, f0cd20, 77c3b900, ...) = 0
[T1804] EnterCriticalSection(3e2028, 77c62440, fc, 7, ...) = 0
[T1804] SetFilePointer(ad4, 0, f0c868, 2, ...) = 10d2e8
[T1804] WriteFile(ad4, f0c8ac, 42, f0c890, ...) = 1
[T1804] LeaveCriticalSection(3e2028, f0ccf0, 77c30390, 7, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd1c, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(3e6900, 77c5fd60, f0cd20, 77c3b900, ...)
= 0
[T1804] HeapFree(3e, 0, 9e3710, 0, ...) = 1
[T1804] EnterCriticalSection(3e2028, 77c62440, fc, 7, ...) = 0
[T1804] CloseHandle(ad4, 77c62440, fc, f0cd04, ...) = 1
[T1804] LeaveCriticalSection(3e2028, f0cd04, 77c2d154, 7, ...) = 0
[T1804] LeaveCriticalSection(3e6900, f0cd1c, 77c3b967, 17, ...) = 0
[T1804] EnterCriticalSection(77c61b90, 77c5fcc0, f0cd08,
77c3b900, ...) = 0
[T1804] LeaveCriticalSection(77c61b90, f0cd04, 77c3b967, 12, ...) = 0
[T1804] EnterCriticalSection(77c61b90, 77c5fcc0, f0cd18,
77c3b900, ...) = 0
[T1804] LeaveCriticalSection(77c61b90, f0cd14, 77c3b967, 12, ...) = 0
[T1804] EnterCriticalSection(77c61b90, 1c, f0cd20, 77c3b900, ...) = 0
[T1804] L

[ossec-list] Re: ossec-agent: Error waiting mutex (timeout)

[Tony]

Update...

When we originally setup the client, I assigned it a 4 digit ID. I
recently recalled reading that the manager can only support up to 256
agents at once, so there was really no need for me to setup anything
more than a 3 digit ID. Yesterday we uninstalled the agent from the
client box, I removed the agent from the manager, and we started over
again from scratch by reinstalling the agent, generating a new key,
and I assigned it only a 3 digit ID. We have not had one problem since
and it's been almost 24 hours now. Could assigning the client a 4
digit ID have been the problem?

--
Tony