[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: Windows Agent Stops Unexpectedly
From: Rob <jnrelliott () gmail ! com>
Date: 2006-12-05 15:56:55
Message-ID: 726c9a8e0612050756v612ad641p28fddb31c5674ff1 () mail ! gmail ! com
[Download RAW message or body]
Wow, that fixed it! Thanks for your help! I knew it had to be something
easy. Much appreciated.
Quick question - What's the minimum frequency time? I was putting 60
seconds.
Robert
On 12/4/06, Daniel Cid <daniel.cid@gmail.com> wrote:
>
> Hi Rob,
>
> After examing and testing your config, I found the problem: If you do
> not provide
> any log file to be monitored on the ossec-agent, it will die
> unexpectedly like that.
> Nobody ever noticed this error because most of the times we monitor at
> least
> one log. I have a fix ready for the next version, but to solve your
> problem for
> now, you will need to provide at least one log to be monitored (it does
> not need
> to be valid).
>
> For example, if you add the following to your ossec-agent config, it
> should
> work:
>
> <ossec_config>
> <localfile>
> <location>C:\invalid.log</location>
> <log_format>syslog</log_format>
> </localfile>
> </ossec_config>
>
> Let me know if this fixes your problem. If not, we will need to keep
> digging.
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On 11/29/06, Rob <jnrelliott@gmail.com> wrote:
> > Here's the agent config and log. I've checked to make sure nothing was
> > running. I ran the agent on a Windows 2003 SP1 Server, Windows 200 SP4,
> and
> > finally a Windows XP SP2 machine. All of them stopping
> unexpectedly. As
> > you can see in the log below, the agent is connecting and then the agent
> > dies mid-way. This only happens in rare occasions. The agent usually
> dies
> > right when it connects with the server. I've verified port 1514 is open
> on
> > the server and I get connection notifications.
> >
> > I greatly appreciate your help.
> >
> > Robert
> >
> > OSSEC.LOG
> >
> > 2006/11/29 08:48:00 ossec-agent: DEBUG: Reading agent configuration.
> >
> > 2006/11/29 08:48:00 ossec-agent: DEBUG: Reading logcollector
> configuration.
> >
> > 2006/11/29 08:48:00 ossec-agent: DEBUG: Reading private keys.
> >
> > 2006/11/29 08:48:00 ossec-agent: Assigning counter for agent testxpbox:
> > '0:1766'.
> >
> > 2006/11/29 08:48:00 ossec-agent: Assigning sender counter: 0:66
> >
> > 2006/11/29 08:48:00 ossec-agent: Connecting to server (10.65.8.23:1514).
> >
> > 2006/11/29 08:48:00 ossec-agent: DEBUG: Creating thread mutex.
> >
> > 2006/11/29 08:48:00 ossec-agent: Starting syscheckd thread.
> >
> > 2006/11/29 08:48:15 ossec-agent(4101): Waiting for server reply (not
> > started).
> >
> > 2006/11/29 08:48:24 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:48:24 ossec-agent: DEBUG: Checking if time elapsed to send
> > keep alive.
> >
> > 2006/11/29 08:48:24 ossec-agent: DEBUG: Sending keep alive message.
> >
> > 2006/11/29 08:48:24 ossec-agent: DEBUG: Sending keep alive: #!-Microsoft
> > Windows XP Professional x64 Edition Service Pack 1 (Build 3790)
> >
> >
> > 2006/11/29 08:52:05 ossec-agent(4101): Waiting for server reply (not
> > started).
> >
> > 2006/11/29 08:52:15 ossec-agent: DEBUG: Checking if time elapsed to send
> > keep alive.
> >
> > 2006/11/29 08:52:37 ossec-agent: DEBUG: Checking if time elapsed to send
> > keep alive.
> >
> > 2006/11/29 08:53:00 ossec-agent: DEBUG: Checking if time elapsed to send
> > keep alive.
> >
> > 2006/11/29 08:53:22 ossec-agent(4102): Connected to the server.
> >
> > 2006/11/29 08:53:22 ossec-agent: DEBUG: Checking if time elapsed to send
> > keep alive.
> >
> > 2006/11/29 08:53:22 ossec-agent: DEBUG: Entering LogCollectorStart().
> >
> > 2006/11/29 08:53:27 ossec-agent: Server responded. Releasing lock.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '40960:33279:0:0:732f875d66358d83bc9281ae3a17d270:2c6f306d827f3cf05dd7a8d229fcf66bd537362a
>
> > C:\dell/drivers/R96951/AEEnable.exe'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '23742:33206:0:0:fe9901280b768b37c069d282cd4ff93a:69f0122dd90857fa14f0ff2e85709843f7b2711a
>
> > C:\dell/drivers/R96951/CPApp.ico'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '76:33206:0:0:ecc5e9367739f0462f5bd7a8cf96f6b1:c06c7f254c19322d6d595cb958433d7430d91d3c
>
> > C:\dell/drivers/R96951/data.tag'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '1918256:33206:0:0:d4f44c040cf722e611d48d432157b3f4:f20f41a1970d17f640aea513f4503e0e2b60c87b
>
> > C:\dell/drivers/R96951/data1.cab'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '76576:33206:0:0:521f4ae08e2d9674dbb7e68caea2ca65:1e6bce7400a26b3132c74422616d539d3153eeb3
>
> > C:\dell/drivers/R96951/data1.hdr'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '512:33206:0:0:91f37ddc6786b521b7d76ec4739170a0:61916e52e4631551687c6a882da22605156e5cf3
>
> > C:\dell/drivers/R96951/data2.cab'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '43520:33279:0:0:16155a03066c6c001a1bebdecd935b55:b5c1e0185cfc45c736a7961afe67284311ea5025
>
> > C:\dell/drivers/R96951/devsetup.exe'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '460264:33206:0:0:0058f5dcee32d5ce4ccde57df72efadb:9da68aa1036f0bd796233ee3acadeb36d2e3a147
>
> > C:\dell/drivers/R96951/engine32.cab'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '1539:33206:0:0:8c481f314ea4b4c8333741a0452f0424:ad8e784dd567ff7bee36cf0f746007c5fd1fba28
>
> > C:\dell/drivers/R96951/layout.bin'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '397:33206:0:0:0580cd62777ccf7d0e0d171d433c402f:4d98d8cb70ced47c9892061fad25c4c48b3a2c33
>
> > C:\dell/drivers/R96951/platform.cfg'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '6045:33206:0:0:b0ff76cc43157e594c8be3bdf1b2787a:e25ef9769ef1d3f3f56a6e323c8302d43b97bfe4
>
> > C:\dell/drivers/R96951/readme.txt'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '116688:33279:0:0:1b9c9b566129b5d1331d4f356fa6efdf:1914b61bb6e4388a3836173e46538446d2dce153
>
> > C:\dell/drivers/R96951/setup.exe'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '437812:33206:0:0:94d1151e8cf8103bb3557eefdca7c631:159f08df6543a5c14a0ca8f075a88ab700cdd77c
>
> > C:\dell/drivers/R96951/setup.ibt'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '721:33206:0:0:bb02834aeba52dd040b3c9b5299682b9:d129c26365ed93b7380985cf690c656d9c73b6c8
>
> > C:\dell/drivers/R96951/setup.ini'
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Attempting to send message to
> > server.
> >
> > 2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server:
> >
> '379842:33206:0:0:69c91712cd00eb6aa464b23531ab03df:4d4afdd5ee1c363ecd5cfe16b8414b95a3f4ac06
>
> > C:\dell/drivers/R96951/setup.inx'
> >
> >
> > OSSEC.CONF
> >
> > <ossec_config>
> > <client>
> > <!-- IP address of the Ossec HIDS server -->
> > <server-ip> 10.65.8.23</server-ip>
> > </client>
> > </ossec_config>
> >
> > <!-- Default syscheck config -->
> > <ossec_config>
> > <syscheck>
> > <frequency>60</frequency>
> > <directories check_all="yes">C:\dell</directories>
> > </syscheck>
> > </ossec_config>
> >
> >
> >
> >
> >
> >
> >
> >
> > On 11/28/06, Daniel Cid <daniel.cid@gmail.com > wrote:
> > >
> > > Hi Rob,
> > >
> > > I really don't think it is a problem on the server. The agent should
> never
> > > "die" ungracefully like that. Can you show me you agent config and the
> > > agent log? It should be all under C:\program files\ossec-agent\ .
> > >
> > > I never had a problem with the agent dying like that, but maybe a
> > different
> > > configuration is causing it... Btw, do you run any HIPS or something
> that
> > can
> > > interfere with the processes running? You can also enable debug on the
> > > agent to see what it is doing:
> > >
> > >
> > http://www.ossec.net/wiki/index.php/Community_manual:Debugging
> > >
> > > *are you running version 0.9-3 on Windows? If not, try updating to
> it..
> > >
> > > Thanks,
> > >
> > > --
> > > Daniel B. Cid
> > > dcid ( at ) ossec.net
> > >
> > >
> > >
> > > On 11/28/06, Rob <jnrelliott@gmail.com> wrote:
> > > > Just a bit more information. Tried Ubuntu 6.10 server and got the
> same
> > > > result. Also tried installing the agent on a XP box and it keeps
> > throwing
> > > > Dr. Watson errors. At this point I can only hope it's an issue with
> > Ubuntu
> > > > and going to try out Fedora tommorrow. It really does seem like
> it's an
> > > > issue only during the "sending" of the syscheck events that causes
> the
> > > > error. Event log alerts are coming thru fine.
> > > >
> > > > Robert
> > > >
> > > >
> > > > On 11/27/06, Rob <jnrelliott@gmail.com> wrote:
> > > > > The config and log files are below. The server is running
> standard
> > Ubuntu
> > > > 6.06. It was loaded without any modification except for installing
> the
> > > > ossec server. I am receiving connection notifications when agents
> > connect
> > > > and disconnect. The ossec server was installed several times with
> > different
> > > > options. The logs and configs reflect the latest attempt without
> > installing
> > > > syscheck locally.
> > > > >
> > > > > On top of that, I ran filemon and found the agent is doing hash
> checks
> > and
> > > > I can see the db file on the agent that has the hashes. But it
> looks
> > like
> > > > when it attempts to send the file to the server is when the errors
> > happens
> > > > and the agent stops unexpectedly.
> > > > >
> > > > > Thanks for the help.
> > > > > Robert
> > > > >
> > > > >
> > > > > ossec.conf file-
> > > > > <ossec_config>
> > > > > <global>
> > > > > <email_notification>yes</email_notification>
> > > > > <email_to> me@mycompany.com</email_to>
> > > > > <smtp_server>smtp.mycompany.com.com</smtp_server>
> > > > > <email_from>ossecm@testossec-desktop</email_from>
> > > > > </global>
> > > > >
> > > > > <rules>
> > > > > <include>rules_config.xml</include>
> > > > > <include>pam_rules.xml</include>
> > > > > <include>sshd_rules.xml</include>
> > > > > <include>telnetd_rules.xml</include>
> > > > > <include>syslog_rules.xml</include>
> > > > > <include>arpwatch_rules.xml</include>
> > > > > <include>pix_rules.xml</include>
> > > > > <include>named_rules.xml</include>
> > > > > <include>smbd_rules.xml</include>
> > > > > <include>vsftpd_rules.xml</include>
> > > > > <include>pure-ftpd_rules.xml</include>
> > > > > <include>proftpd_rules.xml</include>
> > > > > <include>ms_ftpd_rules.xml</include>
> > > > > <include>hordeimp_rules.xml</include>
> > > > > <include>vpopmail_rules.xml</include>
> > > > > <include>web_rules.xml</include>
> > > > > <include>apache_rules.xml</include>
> > > > > <include>ids_rules.xml</include>
> > > > > <include>squid_rules.xml</include>
> > > > > <include>firewall_rules.xml</include>
> > > > > <include>netscreenfw_rules.xml</include>
> > > > > <include>postfix_rules.xml</include>
> > > > > <include>sendmail_rules.xml</include>
> > > > > <include>imapd_rules.xml</include>
> > > > > <include>mailscanner_rules.xml</include>
> > > > > <include>ms-exchange_rules.xml</include>
> > > > > <include>racoon_rules.xml</include>
> > > > > <include>spamd_rules.xml</include>
> > > > > <include>msauth_rules.xml</include>
> > > > > <!-- <include>policy_rules.xml</include> -->
> > > > > <include>attack_rules.xml</include>
> > > > > <include>local_rules.xml</include>
> > > > > <include>ossec_rules.xml</include>
> > > > > </rules>
> > > > >
> > > > >
> > > > > <active-response>
> > > > > <disabled>yes</disabled>
> > > > > </active-response>
> > > > >
> > > > >
> > > > > <remote>
> > > > > <connection>syslog</connection>
> > > > > </remote>
> > > > >
> > > > > <remote>
> > > > > <connection>secure</connection>
> > > > > </remote>
> > > > >
> > > > > <alerts>
> > > > > <log_alert_level>1</log_alert_level>
> > > > > <email_alert_level>7</email_alert_level>
> > > > > </alerts>
> > > > > <!-- Files to monitor (localfiles) -->
> > > > >
> > > > > <localfile>
> > > > > <log_format>syslog</log_format>
> > > > > <location>/var/log/messages</location>
> > > > > </localfile>
> > > > >
> > > > > <localfile>
> > > > > <log_format>syslog</log_format>
> > > > > <location>/var/log/auth.log</location>
> > > > > </localfile>
> > > > >
> > > > > <localfile>
> > > > > <log_format>syslog</log_format>
> > > > > <location>/var/log/syslog</location>
> > > > > </localfile>
> > > > >
> > > > > <localfile>
> > > > > <log_format>syslog</log_format>
> > > > > <location>/var/log/mail.info</location>
> > > > > </localfile>
> > > > > </ossec_config>
> > > > >
> > > > >
> > > >
> >
> ------------------------------------------------------------------------------------------------------------
>
> > > > > ossec.log
> > > > >
> > > > > 2006/11/22 14:39:38 ossec-syscheckd(1702): No directory provided
> for
> > > > 'directories' element.
> > > > > 2006/11/22 14:39:38 ossec-maild: Started (pid: 9570).
> > > > > 2006/11/22 14:39:38 ossec-execd: Started (pid: 9574).
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'rules_config.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'pam_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'sshd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'telnetd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'syslog_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'arpwatch_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'pix_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'named_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'smbd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'vsftpd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'pure-ftpd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'proftpd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'ms_ftpd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'hordeimp_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'vpopmail_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'web_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'apache_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'ids_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'squid_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'firewall_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'netscreenfw_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'postfix_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'sendmail_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'imapd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'mailscanner_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'ms-exchange_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'racoon_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'spamd_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'msauth_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > > > 'attack_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'local_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:
> > 'ossec_rules.xml'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Total rules enabled: '452'
> > > > > 2006/11/22 14:39:38 ossec-analysisd: Started (pid: 9578).
> > > > > 2006/11/22 14:39:38 ossec-remoted: Started (pid: 9586).
> > > > > 2006/11/22 14:39:38 ossec-remoted(1501): No IP or network allowed
> in
> > the
> > > > access list for syslog. No reason for running it. Exiting.
> > > > > 2006/11/22 14:39:38 ossec-remoted: Started (pid: 9588).
> > > > > 2006/11/22 14:39:38 ossec-syscheckd(1702): No directory provided
> for
> > > > 'directories' element.
> > > > > 2006/11/22 14:39:38 ossec-syscheckd: Syscheck disabled. Exiting.
> > > > > 2006/11/22 14:39:38 ossec-monitord: Started (pid: 9594).
> > > > > 2006/11/22 14:39:44 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/messages'.
> > > > > 2006/11/22 14:39:44 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/auth.log'.
> > > > > 2006/11/22 14:39:44 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/syslog'.
> > > > > 2006/11/22 14:39:44 ossec-logcollector(1950): Analyzing file:
> > > > '/var/log/mail.info'.
> > > > > 2006/11/22 14:39:44 ossec-logcollector: Started (pid: 9582).
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On 11/23/06, Black CryptoKnight < black_cryptoknight@yahoo.com>
> wrote:
> > > > > > What do the ossec.log files on your ossec server and the client
> say?
> > > > > >
> > > > > >
> > > > > > Rob < jnrelliott@gmail.com> wrote:
> > > > > > Hello,
> > > > > >
> > > > > > Installed ossec via server mode on Ubuntu, fresh install. I
> was
> > > > able to get the server started and ran the manage_agents
> utility. Got
> > the
> > > > needed key and ran the agent installer on my windows 2000 and
> windows
> > 2003
> > > > servers. Port 1514 is not blocked and I'm getting notifications
> when
> > the
> > > > agents connect. So far so good. However, after about a minute or
> so,
> > the
> > > > agents stop unexpectedly with the error below. I've uninstalled
> > VirusScan,
> > > > i've configured allow lists (on ossec server), but the agent keeps
> > stopping
> > > > and it seems it's during a syscheck. The files/directories I scan
> are
> > test
> > > > ones with no real system value. Is there anything else I can try to
> > keep
> > > > the agents from stopping? I also get a Dr.Watson error, also below.
> > I've
> > > > ran Filemon and found the agent stops right after syscheck finishes
> it's
> > > > scan.
> > > > > >
> > > > > > Any help would be great since I really want to use the product!
> > > > > >
> > > > > > Thanks,
> > > > > > RObert
> > > > > >
> > > > > > --------------------------------------
> > > > > > Event Type: Information
> > > > > > Event Source: DrWatson
> > > > > > Event Category: None
> > > > > > Event ID: 4097
> > > > > > Date: 11/22/2006
> > > > > > Time: 10:23:11 AM
> > > > > > User: N/A
> > > > > > Computer: NTFWADPCTXP2
> > > > > > Description:
> > > > > > The application, C:\Program Files\ossec-agent\ossec-agent.exe,
> > generated
> > > > an application error The error occurred on 11/22/2006 @ 10:23:11.458The
> > > > exception generated was c0000005 at address 004346A5 (ossec_agent)
> > > > > >
> > > > > > For more information, see Help and Support Center at
> > > > http://go.microsoft.com/fwlink/events.asp .
> > > > > > --------------------------------------
> > > > > >
> > > > > > Event Type: Error
> > > > > > Event Source: Application Error
> > > > > > Event Category: (100)
> > > > > > Event ID: 1000
> > > > > > Date: 11/22/2006
> > > > > > Time: 10:23:11 AM
> > > > > > User: N/A
> > > > > > Computer: NTFWADPCTXP2
> > > > > > Description:
> > > > > > Faulting application ossec-agent.exe, version 0.0.0.0, faulting
> > module
> > > > ossec-agent.exe, version 0.0.0.0, fault address 0x000346a5.
> > > > > >
> > > > > > For more information, see Help and Support Center at
> > > > http://go.microsoft.com/fwlink/events.asp.
> > > > > > Data:
> > > > > > 0000: 41 70 70 6c 69 63 61 74 Applicat
> > > > > > 0008: 69 6f 6e 20 46 61 69 6c ion Fail
> > > > > > 0010: 75 72 65 20 20 6f 73 73 ure oss
> > > > > > 0018: 65 63 2d 61 67 65 6e 74 ec-agent
> > > > > > 0020: 2e 65 78 65 20 30 2e 30 .exe 0.0
> > > > > > 0028: 2e 30 2e 30 20 69 6e 20 .0.0 in
> > > > > > 0030: 6f 73 73 65 63 2d 61 67 ossec-ag
> > > > > > 0038: 65 6e 74 2e 65 78 65 20 ent.exe
> > > > > > 0040: 30 2e 30 2e 30 2e 30 20 0.0.0.0
> > > > > > 0048: 61 74 20 6f 66 66 73 65 at offse
> > > > > > 0050: 74 20 30 30 30 33 34 36 t 000346
> > > > > > 0058: 61 35 a5
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Visit Jamaica's Tech Portal http://www.techjamaica.com
> > > > > >
> > > > > > ________________________________
> > > > Everyone is raving about the all-new Yahoo! Mail beta.
> > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
[Attachment #3 (text/html)]
Wow, that fixed it! Thanks for your help! I knew it had to be something \
easy. Much appreciated.<br><br>Quick question - What's the minimum frequency \
time? I was putting 60 seconds.<br><br><br>Robert<br><br><div><span \
class="gmail_quote"> On 12/4/06, <b class="gmail_sendername">Daniel Cid</b> <<a \
href="mailto:daniel.cid@gmail.com">daniel.cid@gmail.com</a>> \
wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, \
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hi Rob,<br><br>After \
examing and testing your config, I found the problem: If you do<br>not provide<br>any \
log file to be monitored on the ossec-agent, it will die<br>unexpectedly like \
that.<br>Nobody ever noticed this error because most of the times we monitor at least \
<br>one log. I have a fix ready for the next version, but to solve your problem \
for<br>now, you will need to provide at least one log to be monitored (it does not \
need<br>to be valid).<br><br>For example, if you add the following to your \
ossec-agent config, it should \
<br>work:<br><br><ossec_config><br> <localfile><br> \
<location>C:\invalid.log</location><br>   \
;<log_format>syslog</log_format><br> </localfile><br></ossec_config><br><br>
Let me know if this fixes your problem. If not, we will need to keep \
digging.<br><br>Thanks,<br><br>--<br>Daniel B. Cid<br>dcid ( at ) <a \
href="http://ossec.net">ossec.net</a><br><br><br>On 11/29/06, Rob <<a \
href="mailto:jnrelliott@gmail.com"> jnrelliott@gmail.com</a>> wrote:<br>> \
Here's the agent config and log. I've checked to make sure nothing \
was<br>> running. I ran the agent on a Windows 2003 SP1 Server, Windows \
200 SP4, and<br>> finally a Windows XP SP2 machine. All of them \
stopping unexpectedly. As <br>> you can see in the log below, the agent \
is connecting and then the agent<br>> dies mid-way. This only happens \
in rare occasions. The agent usually dies<br>> right when it connects \
with the server. I've verified port 1514 is open on <br>> the server \
and I get connection notifications.<br>><br>> I greatly appreciate your \
help.<br>><br>> Robert<br>><br>> OSSEC.LOG<br>><br>> 2006/11/29 \
08:48:00 ossec-agent: DEBUG: Reading agent configuration. \
<br>><br>> 2006/11/29 08:48:00 ossec-agent: DEBUG: Reading \
logcollector configuration.<br>><br>> 2006/11/29 08:48:00 ossec-agent: DEBUG: \
Reading private keys.<br>><br>> 2006/11/29 08:48:00 ossec-agent: Assigning \
counter for agent testxpbox: <br>> '0:1766'.<br>><br>> 2006/11/29 08:48:00 \
ossec-agent: Assigning sender counter: 0:66<br>><br>> 2006/11/29 08:48:00 \
ossec-agent: Connecting to server (<a \
href="http://10.65.8.23:1514">10.65.8.23:1514</a> ).<br>><br>> 2006/11/29 \
08:48:00 ossec-agent: DEBUG: Creating thread mutex.<br>><br>> 2006/11/29 \
08:48:00 ossec-agent: Starting syscheckd thread.<br>><br>> 2006/11/29 08:48:15 \
ossec-agent(4101): Waiting for server reply (not <br>> started).<br>><br>> \
2006/11/29 08:48:24 ossec-agent: DEBUG: Attempting to send message to<br>> \
server.<br>><br>> 2006/11/29 08:48:24 ossec-agent: DEBUG: Checking if time \
elapsed to send<br>> keep alive. <br>><br>> 2006/11/29 08:48:24 ossec-agent: \
DEBUG: Sending keep alive message.<br>><br>> 2006/11/29 08:48:24 ossec-agent: \
DEBUG: Sending keep alive: #!-Microsoft<br>> Windows XP Professional x64 Edition \
Service Pack 1 (Build 3790) <br>><br>><br>> 2006/11/29 08:52:05 \
ossec-agent(4101): Waiting for server reply (not<br>> started).<br>><br>> \
2006/11/29 08:52:15 ossec-agent: DEBUG: Checking if time elapsed to send<br>> keep \
alive.<br> ><br>> 2006/11/29 08:52:37 ossec-agent: DEBUG: Checking if time \
elapsed to send<br>> keep alive.<br>><br>> 2006/11/29 08:53:00 ossec-agent: \
DEBUG: Checking if time elapsed to send<br>> keep alive.<br>> <br>> \
2006/11/29 08:53:22 ossec-agent(4102): Connected to the server.<br>><br>> \
2006/11/29 08:53:22 ossec-agent: DEBUG: Checking if time elapsed to send<br>> keep \
alive.<br>><br>> 2006/11/29 08:53:22 ossec-agent: DEBUG: Entering \
LogCollectorStart(). <br>><br>> 2006/11/29 08:53:27 ossec-agent: Server \
responded. Releasing lock.<br>><br>> 2006/11/29 08:53:27 ossec-agent: DEBUG: \
Sending message to server:<br>> \
'40960:33279:0:0:732f875d66358d83bc9281ae3a17d270:2c6f306d827f3cf05dd7a8d229fcf66bd537362a
<br>> C:\dell/drivers/R96951/AEEnable.exe'<br>><br>> 2006/11/29 08:53:27 \
ossec-agent: DEBUG: Attempting to send message to<br>> server.<br>><br>> \
2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server: <br>> \
'23742:33206:0:0:fe9901280b768b37c069d282cd4ff93a:69f0122dd90857fa14f0ff2e85709843f7b2711a<br>> \
C:\dell/drivers/R96951/CPApp.ico'<br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to <br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'76:33206:0:0:ecc5e9367739f0462f5bd7a8cf96f6b1:c06c7f254c19322d6d595cb958433d7430d91d3c<br>> \
C:\dell/drivers/R96951/data.tag' <br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to<br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'1918256:33206:0:0:d4f44c040cf722e611d48d432157b3f4:f20f41a1970d17f640aea513f4503e0e2b60c87b
<br>> C:\dell/drivers/R96951/data1.cab'<br>><br>> 2006/11/29 08:53:27 \
ossec-agent: DEBUG: Attempting to send message to<br>> server.<br>><br>> \
2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server: <br>> \
'76576:33206:0:0:521f4ae08e2d9674dbb7e68caea2ca65:1e6bce7400a26b3132c74422616d539d3153eeb3<br>> \
C:\dell/drivers/R96951/data1.hdr'<br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to <br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'512:33206:0:0:91f37ddc6786b521b7d76ec4739170a0:61916e52e4631551687c6a882da22605156e5cf3<br>> \
C:\dell/drivers/R96951/data2.cab' <br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to<br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'43520:33279:0:0:16155a03066c6c001a1bebdecd935b55:b5c1e0185cfc45c736a7961afe67284311ea5025
<br>> C:\dell/drivers/R96951/devsetup.exe'<br>><br>> 2006/11/29 08:53:27 \
ossec-agent: DEBUG: Attempting to send message to<br>> server.<br>><br>> \
2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server: <br>> \
'460264:33206:0:0:0058f5dcee32d5ce4ccde57df72efadb:9da68aa1036f0bd796233ee3acadeb36d2e3a147<br>> \
C:\dell/drivers/R96951/engine32.cab'<br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to <br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'1539:33206:0:0:8c481f314ea4b4c8333741a0452f0424:ad8e784dd567ff7bee36cf0f746007c5fd1fba28<br>> \
C:\dell/drivers/R96951/layout.bin' <br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to<br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'397:33206:0:0:0580cd62777ccf7d0e0d171d433c402f:4d98d8cb70ced47c9892061fad25c4c48b3a2c33
<br>> C:\dell/drivers/R96951/platform.cfg'<br>><br>> 2006/11/29 08:53:27 \
ossec-agent: DEBUG: Attempting to send message to<br>> server.<br>><br>> \
2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server: <br>> \
'6045:33206:0:0:b0ff76cc43157e594c8be3bdf1b2787a:e25ef9769ef1d3f3f56a6e323c8302d43b97bfe4<br>> \
C:\dell/drivers/R96951/readme.txt'<br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to <br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'116688:33279:0:0:1b9c9b566129b5d1331d4f356fa6efdf:1914b61bb6e4388a3836173e46538446d2dce153<br>> \
C:\dell/drivers/R96951/setup.exe' <br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to<br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'437812:33206:0:0:94d1151e8cf8103bb3557eefdca7c631:159f08df6543a5c14a0ca8f075a88ab700cdd77c
<br>> C:\dell/drivers/R96951/setup.ibt'<br>><br>> 2006/11/29 08:53:27 \
ossec-agent: DEBUG: Attempting to send message to<br>> server.<br>><br>> \
2006/11/29 08:53:27 ossec-agent: DEBUG: Sending message to server: <br>> \
'721:33206:0:0:bb02834aeba52dd040b3c9b5299682b9:d129c26365ed93b7380985cf690c656d9c73b6c8<br>> \
C:\dell/drivers/R96951/setup.ini'<br>><br>> 2006/11/29 08:53:27 ossec-agent: \
DEBUG: Attempting to send message to <br>> server.<br>><br>> 2006/11/29 \
08:53:27 ossec-agent: DEBUG: Sending message to server:<br>> \
'379842:33206:0:0:69c91712cd00eb6aa464b23531ab03df:4d4afdd5ee1c363ecd5cfe16b8414b95a3f4ac06<br>> \
C:\dell/drivers/R96951/setup.inx' <br>><br>><br>> OSSEC.CONF<br>><br>> \
<ossec_config><br>> \
<client><br>> <!-- IP address of the Ossec HIDS \
server --><br>> <server-ip> <a \
href="http://10.65.8.23">10.65.8.23 </a></server-ip><br>> \
</client><br>> </ossec_config><br>><br>> <!-- Default \
syscheck config --><br>> <ossec_config><br>> \
<syscheck><br>> \
<frequency>60</frequency> <br>> \
<directories check_all="yes">C:\dell</directories><br>> \
</syscheck><br>> \
</ossec_config><br>><br>><br>><br>><br>><br>><br>><br>><br>> \
On 11/28/06, Daniel Cid < <a \
href="mailto:daniel.cid@gmail.com">daniel.cid@gmail.com</a> > wrote:<br>> \
><br>> > Hi Rob,<br>> ><br>> > I really don't think it is a \
problem on the server. The agent should never<br>> > "die" \
ungracefully like that. Can you show me you agent config and the <br>> > agent \
log? It should be all under C:\program files\ossec-agent\ .<br>> ><br>> > \
I never had a problem with the agent dying like that, but maybe a<br>> \
different<br>> > configuration is causing it... Btw, do you run any HIPS or \
something that <br>> can<br>> > interfere with the processes running? You \
can also enable debug on the<br>> > agent to see what it is doing:<br>> \
><br>> ><br>> <a \
href="http://www.ossec.net/wiki/index.php/Community_manual:Debugging"> \
http://www.ossec.net/wiki/index.php/Community_manual:Debugging</a><br>> \
><br>> > *are you running version 0.9-3 on Windows? If not, try updating to \
it..<br>> ><br>> > Thanks,<br>> ><br>> > -- <br>> > \
Daniel B. Cid<br>> > dcid ( at ) <a \
href="http://ossec.net">ossec.net</a><br>> ><br>> ><br>> ><br>> \
> On 11/28/06, Rob <<a href="mailto:jnrelliott@gmail.com">jnrelliott@gmail.com \
</a>> wrote:<br>> > > Just a bit more information. Tried \
Ubuntu 6.10 server and got the same<br>> > > result. Also tried \
installing the agent on a XP box and it keeps<br>> throwing<br>> > > Dr. \
Watson errors. At this point I can only hope it's an issue with <br>> \
Ubuntu<br>> > > and going to try out Fedora tommorrow. It really \
does seem like it's an<br>> > > issue only during the "sending" of \
the syscheck events that causes the<br>> > > error. Event log \
alerts are coming thru fine. <br>> > ><br>> > > Robert<br>> > \
><br>> > ><br>> > > On 11/27/06, Rob <<a \
href="mailto:jnrelliott@gmail.com">jnrelliott@gmail.com</a>> wrote:<br>> > \
> > The config and log files are below. The server is running \
standard <br>> Ubuntu<br>> > > 6.06. It was loaded without any \
modification except for installing the<br>> > > ossec server. I \
am receiving connection notifications when agents<br>> connect<br>> > > \
and disconnect. The ossec server was installed several times with <br>> \
different<br>> > > options. The logs and configs reflect the \
latest attempt without<br>> installing<br>> > > syscheck locally.<br>> \
> > ><br>> > > > On top of that, I ran filemon and found the \
agent is doing hash checks <br>> and<br>> > > I can see the db file on \
the agent that has the hashes. But it looks<br>> like<br>> > > \
when it attempts to send the file to the server is when the errors<br>> \
happens<br>> > > and the agent stops unexpectedly. <br>> > > \
><br>> > > > Thanks for the help.<br>> > > > \
Robert<br>> > > ><br>> > > ><br>> > > > \
ossec.conf file-<br>> > > > <ossec_config> <br>> > > \
> <global><br>> > > > \
<email_notification>yes</email_notification><br>> > > \
> <email_to> <a \
href="mailto:me@mycompany.com">me@mycompany.com</a> </email_to><br>> > \
> > <smtp_server><a \
href="http://smtp.mycompany.com.com">smtp.mycompany.com.com</a></smtp_server><br>> \
> > > \
<email_from>ossecm@testossec-desktop</email_from> <br>> > > \
> </global><br>> > > ><br>> > > \
> <rules><br>> > > > \
<include>rules_config.xml</include><br>> > > \
> <include>pam_rules.xml</include> <br>> \
> > > \
<include>sshd_rules.xml</include><br>> > > \
> <include>telnetd_rules.xml</include><br>> \
> > > \
<include>syslog_rules.xml</include> <br>> > > \
> \
<include>arpwatch_rules.xml</include><br>> > > \
> <include>pix_rules.xml</include><br>> \
> > > <include>named_rules.xml</include> \
<br>> > > > \
<include>smbd_rules.xml</include><br>> > > \
> <include>vsftpd_rules.xml</include><br>> \
> > > \
<include>pure-ftpd_rules.xml</include> <br>> > > \
> <include>proftpd_rules.xml</include><br>> \
> > > \
<include>ms_ftpd_rules.xml</include><br>> > > \
> <include>hordeimp_rules.xml</include> \
<br>> > > > \
<include>vpopmail_rules.xml</include><br>> > > \
<br>> > > > \
<include>ids_rules.xml</include><br>> > > \
> <include>squid_rules.xml</include><br>> \
> > > \
<include>firewall_rules.xml</include> <br>> > > \
> \
<include>netscreenfw_rules.xml</include><br>> > > \
> <include>postfix_rules.xml</include><br>> \
> > > \
<include>sendmail_rules.xml</include> <br>> > > \
> <include>imapd_rules.xml</include><br>> \
> > > \
<include>mailscanner_rules.xml</include><br>> > > \
> <include>ms-exchange_rules.xml</include> \
<br>> > > > \
<include>racoon_rules.xml</include><br>> > > \
> <include>spamd_rules.xml</include><br>> \
> > > \
<include>msauth_rules.xml</include> <br>> > > \
> <!-- <include>policy_rules.xml</include> \
--><br>> > > > \
<include>attack_rules.xml</include><br>> > > \
> <include>local_rules.xml</include> <br>> \
> > > \
<include>ossec_rules.xml</include><br>> > > > \
</rules><br>> > > ><br>> > > ><br>> > > \
> <active-response><br>> > > \
> <disabled>yes</disabled> <br>> > > \
> </active-response><br>> > > ><br>> > > \
><br>> > > > <remote><br>> > > \
> <connection>syslog</connection><br>> > \
> > </remote> <br>> > > ><br>> > > \
> <remote><br>> > > > \
<connection>secure</connection><br>> > > > \
</remote><br>> > > ><br>> > > > \
<alerts> <br>> > > > \
<log_alert_level>1</log_alert_level><br>> > > \
> \
<email_alert_level>7</email_alert_level><br>> > > \
> </alerts><br>> > > > <!-- Files to \
monitor (localfiles) --> <br>> > > ><br>> > > \
> <localfile><br>> > > > \
<log_format>syslog</log_format><br>> > > \
> \
<location>/var/log/messages</location><br>> > > > \
</localfile> <br>> > > ><br>> > > > \
<localfile><br>> > > > \
<log_format>syslog</log_format><br>> > > \
> \
<location>/var/log/auth.log</location><br>> > > > \
</localfile> <br>> > > ><br>> > > > \
<localfile><br>> > > > \
<log_format>syslog</log_format><br>> > > \
> <location>/var/log/syslog</location><br>> \
> > > </localfile> <br>> > > ><br>> > \
> > <localfile><br>> > > \
> <log_format>syslog</log_format><br>> > \
> > \
<location>/var/log/mail.info</location><br>> > > \
> </localfile> <br>> > > > \
</ossec_config><br>> > > ><br>> > > ><br>> > \
><br>> ------------------------------------------------------------------------------------------------------------
<br>> > > > ossec.log<br>> > > ><br>> > > > \
2006/11/22 14:39:38 ossec-syscheckd(1702): No directory provided for<br>> > \
> 'directories' element.<br>> > > > 2006/11/22 14:39:38 ossec-maild: \
Started (pid: 9570). <br>> > > > 2006/11/22 14:39:38 ossec-execd: Started \
(pid: 9574).<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: Reading \
rules file:<br>> > > 'rules_config.xml'<br>> > > > 2006/11/22 \
14:39:38 ossec-analysisd: Reading rules file: <br>> 'pam_rules.xml'<br>> > \
> > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file:<br>> \
'sshd_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: Reading \
rules file:<br>> > > 'telnetd_rules.xml' <br>> > > > 2006/11/22 \
14:39:38 ossec-analysisd: Reading rules file:<br>> > > \
'syslog_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file:<br>> > > 'arpwatch_rules.xml' <br>> > > > \
2006/11/22 14:39:38 ossec-analysisd: Reading rules file:<br>> \
'pix_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: Reading \
rules file:<br>> 'named_rules.xml'<br>> > > > 2006/11/22 14:39:38 \
ossec-analysisd: Reading rules file: <br>> 'smbd_rules.xml'<br>> > > > \
2006/11/22 14:39:38 ossec-analysisd: Reading rules file:<br>> > > \
'vsftpd_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file: <br>> > > 'pure-ftpd_rules.xml'<br>> > > > \
2006/11/22 14:39:38 ossec-analysisd: Reading rules file:<br>> > > \
'proftpd_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file: <br>> > > 'ms_ftpd_rules.xml'<br>> > > > \
2006/11/22 14:39:38 ossec-analysisd: Reading rules file:<br>> > > \
'hordeimp_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file: <br>> > > 'vpopmail_rules.xml'<br>> > > > \
2006/11/22 14:39:38 ossec-analysisd: Reading rules file:<br>> \
'web_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: Reading \
rules file: <br>> > > 'apache_rules.xml'<br>> > > > 2006/11/22 \
14:39:38 ossec-analysisd: Reading rules file:<br>> 'ids_rules.xml'<br>> > \
> > 2006/11/22 14:39:38 ossec-analysisd: Reading rules file: <br>> \
'squid_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: Reading \
rules file:<br>> > > 'firewall_rules.xml'<br>> > > > 2006/11/22 \
14:39:38 ossec-analysisd: Reading rules file: <br>> > > \
'netscreenfw_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file:<br>> > > 'postfix_rules.xml'<br>> > > > \
2006/11/22 14:39:38 ossec-analysisd: Reading rules file: <br>> > > \
'sendmail_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file:<br>> 'imapd_rules.xml'<br>> > > > 2006/11/22 \
14:39:38 ossec-analysisd: Reading rules file: <br>> > > \
'mailscanner_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file:<br>> > > 'ms-exchange_rules.xml'<br>> > > > \
2006/11/22 14:39:38 ossec-analysisd: Reading rules file: <br>> > > \
'racoon_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file:<br>> 'spamd_rules.xml'<br>> > > > 2006/11/22 \
14:39:38 ossec-analysisd: Reading rules file: <br>> > > \
'msauth_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: \
Reading rules file:<br>> > > 'attack_rules.xml'<br>> > > > \
2006/11/22 14:39:38 ossec-analysisd: Reading rules file: <br>> \
'local_rules.xml'<br>> > > > 2006/11/22 14:39:38 ossec-analysisd: Reading \
rules file:<br>> 'ossec_rules.xml'<br>> > > > 2006/11/22 14:39:38 \
ossec-analysisd: Total rules enabled: '452'<br> > > > > 2006/11/22 \
14:39:38 ossec-analysisd: Started (pid: 9578).<br>> > > > 2006/11/22 \
14:39:38 ossec-remoted: Started (pid: 9586).<br>> > > > 2006/11/22 \
14:39:38 ossec-remoted(1501): No IP or network allowed in <br>> the<br>> > \
> access list for syslog. No reason for running it. Exiting.<br>> > > \
> 2006/11/22 14:39:38 ossec-remoted: Started (pid: 9588).<br>> > > > \
2006/11/22 14:39:38 ossec-syscheckd(1702): No directory provided for <br>> > \
> 'directories' element.<br>> > > > 2006/11/22 14:39:38 \
ossec-syscheckd: Syscheck disabled. Exiting.<br>> > > > 2006/11/22 \
14:39:38 ossec-monitord: Started (pid: 9594).<br>> > > > 2006/11/22 \
14:39:44 ossec-logcollector(1950): Analyzing file: <br>> > > \
'/var/log/messages'.<br>> > > > 2006/11/22 14:39:44 \
ossec-logcollector(1950): Analyzing file:<br>> > > \
'/var/log/auth.log'.<br>> > > > 2006/11/22 14:39:44 \
ossec-logcollector(1950): Analyzing file: <br>> > > \
'/var/log/syslog'.<br>> > > > 2006/11/22 14:39:44 \
ossec-logcollector(1950): Analyzing file:<br>> > > \
'/var/log/mail.info'.<br>> > > > 2006/11/22 14:39:44 ossec-logcollector: \
Started (pid: 9582). <br>> > > ><br>> > > ><br>> > > \
><br>> > > ><br>> > > ><br>> > > > On \
11/23/06, Black CryptoKnight < <a href="mailto:black_cryptoknight@yahoo.com"> \
black_cryptoknight@yahoo.com</a>> wrote:<br>> > > > > What do the \
ossec.log files on your ossec server and the client say?<br>> > > > \
><br>> > > > ><br>> > > > > Rob < <a \
href="mailto:jnrelliott@gmail.com">jnrelliott@gmail.com</a>> wrote:<br>> > \
> > > Hello,<br>> > > > ><br>> > > > \
> Installed ossec via server mode on Ubuntu, fresh \
install. I was <br>> > > able to get the server started and ran \
the manage_agents utility. Got<br>> the<br>> > > needed key \
and ran the agent installer on my windows 2000 and windows<br>> 2003<br>> > \
> servers. Port 1514 is not blocked and I'm getting notifications when \
<br>> the<br>> > > agents connect. So far so \
good. However, after about a minute or so,<br>> the<br>> > > \
agents stop unexpectedly with the error below. I've uninstalled<br>> \
VirusScan,<br>> > > i've configured allow lists (on ossec server), but the \
agent keeps <br>> stopping<br>> > > and it seems it's during a \
syscheck. The files/directories I scan are<br>> test<br>> > > \
ones with no real system value. Is there anything else I can try \
to<br>> keep<br> > > > the agents from stopping? I also get a \
Dr.Watson error, also below.<br>> I've<br>> > > ran Filemon and found the \
agent stops right after syscheck finishes it's<br>> > > scan.<br>> > \
> > > <br>> > > > > Any help would be great since I really \
want to use the product!<br>> > > > ><br>> > > > > \
Thanks,<br>> > > > > RObert<br>> > > > ><br> > > \
> > > --------------------------------------<br>> > > > > \
Event Type: Information<br>> > > > > Event \
Source: DrWatson<br>> > > > > Event \
Category: None <br>> > > > > Event \
ID: 4097<br>> > > > > \
Date: 11/22/2006<br>> > > \
> > Time: 10:23:11 AM<br>> \
> > > > User: N/A<br>> \
> > > > Computer: NTFWADPCTXP2 <br>> > > \
> > Description:<br>> > > > > The application, C:\Program \
Files\ossec-agent\ossec-agent.exe,<br>> generated<br>> > > an application \
error The error occurred on 11/22/2006 @ 10:23: 11.458 The<br>> > > \
exception generated was c0000005 at address 004346A5 (ossec_agent)<br>> > > \
> ><br>> > > > > For more information, see Help and Support \
Center at<br>> > > <a \
href="http://go.microsoft.com/fwlink/events.asp">http://go.microsoft.com/fwlink/events.asp</a> \
.<br>> > > > > --------------------------------------<br>> > \
> > ><br>> > > > > Event Type: Error \
<br>> > > > > Event Source: Application \
Error<br>> > > > > Event \
Category: (100)<br>> > > > > Event \
ID: 1000<br>> > > > > \
Date: 11/22/2006<br>> > > \
> > Time: 10:23:11 AM <br>> \
> > > > User: N/A<br>> \
> > > > Computer: NTFWADPCTXP2<br>> > > \
> > Description:<br>> > > > > Faulting application \
ossec-agent.exe, version <a href="http://0.0.0.0"> 0.0.0.0</a>, faulting<br>> \
module<br>> > > ossec-agent.exe, version <a \
href="http://0.0.0.0">0.0.0.0</a>, fault address 0x000346a5.<br>> > > > \
><br>> > > > > For more information, see Help and Support Center at \
<br>> > > <a \
href="http://go.microsoft.com/fwlink/events.asp">http://go.microsoft.com/fwlink/events.asp</a>.<br>> \
> > > > Data:<br>> > > > > 0000: 41 70 70 6c 69 63 61 \
74 Applicat<br> > > > > > 0008: 69 6f 6e 20 46 61 69 \
6c ion Fail<br>> > > > > 0010: 75 72 65 20 20 6f 73 \
73 ure oss<br>> > > > > 0018: 65 63 2d 61 67 65 \
6e 74 ec-agent<br>> > > > > 0020: 2e 65 78 65 20 30 2e \
30 .exe 0.0<br>> > > > > 0028: 2e 30 2e 30 20 69 6e \
20 .0.0 in<br>> > > > > 0030: 6f 73 73 65 63 2d 61 \
67 ossec-ag<br>> > > > > 0038: 65 6e 74 2e 65 78 65 \
20 ent.exe<br>> > > > > 0040: 30 2e 30 2e 30 2e 30 \
20 <a href="http://0.0.0.0">0.0.0.0</a><br>> > > > > \
0048: 61 74 20 6f 66 66 73 65 at offse<br>> > > > > 0050: \
74 20 30 30 30 33 34 36 t 000346<br>> > > > > 0058: 61 \
<br>> > > > ><br>> > > > ><br>> > > > \
><br>> > > > ><br>> > > > ><br>> > > > \
><br>> > > > ><br>> > > > > Visit Jamaica's Tech \
Portal <a href="http://www.techjamaica.com">http://www.techjamaica.com</a><br>> \
> > > ><br>> > > > > \
________________________________<br>> > > Everyone is raving about the \
all-new Yahoo! Mail beta. <br>> > > ><br>> > > ><br>> > \
><br>> > ><br>> ><br>><br>><br></blockquote></div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic