[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: RE: [ossec-list] Re: Ossec-agent: More than 600 seconds without server response...sending win32info
From: "Manuel, Hal" <hal.manuel () cengage ! com>
Date: 2016-03-25 12:52:59
Message-ID: BLUPR02MB1636184D90FE1601B0C6DB118C830 () BLUPR02MB1636 ! namprd02 ! prod ! outlook ! com
[Download RAW message or body]
For what it's worth, I've seen the same thing happen on our windows agents….tried \
debugging it for weeks & couldn't figure anything out so I just gave up. It seemed \
to be intermittent when I dug into it before.
--
Hal Manuel
Sr. Director, Content & Technical Operations
Cengage Learning | Questia | Highbeam Research
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of \
Santiago Bassett
Sent: Thursday, March 24, 2016 4:51 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Re: Ossec-agent: More than 600 seconds without server \
response...sending win32info
Could it be a network issue? I would try running tcpdump both on the agent and on the \
manager. It looks like manager responses are not getting to the agents somehow.
On Thu, Mar 24, 2016 at 1:17 PM, Ben <ben2008@gmail.com<mailto:ben2008@gmail.com>> \
wrote: Hi,
I got the same issue here, exact same problem with 2.8.3 version. Any Help? Thanks.
On Friday, September 19, 2014 at 7:46:02 AM UTC-4, Chard wrote:
Hi All,
Ameya did you ever get a solution to this?
As I have the same problem as this, but I have firewalls with UDP port 1514 open and \
the server isn't showing any signs of being overloaded.
My agents can send log files to the ossec server and the server can send its shared \
configuration files to each ossec agents. Which would mean that the connect between \
server and client is fine? Yet I still get the error message "Ossec-agent: More than \
600 seconds without server response...sending win32info" on the client side.
Just wondering does the ossec server use a different port for some responses dealing \
with 'win32info'?
On Thursday, August 14, 2014 2:27:01 PM UTC+1, dan (ddpbsd) wrote:
On Thu, Aug 14, 2014 at 4:31 AM, Ameya Bhatkal \
<ame...@gmail.com<mailto:ame...@gmail.com>> wrote:
> Hi Dan,
>
> The agents are connected. I don't think that the Server is overloaded since
> only 2 workstations are being monitored!
>
Did you check or just guess? Is there anything in the manager's ossec.log?
>
> On Monday, August 11, 2014 7:33:44 AM UTC+5:30, Ameya Bhatkal wrote:
> >
> > Hi Everyone,
> >
> > I am running Ossec HIDS 2.8 on Server mode on Ubuntu 14.04
> >
> > I have installed around 5-6 Ossec client agents with active response
> > disabled on windows 7 machines.
> >
> > My problem is that my ossec.log file which is present in the Ossec client
> > machine is filled with the following error messages:
> >
> > "Ossec-agent: More than 600 seconds without server response...sending
> > win32info"
> >
> > There is no firewall present between the Server and the agents. Every 3rd
> > or 4th line of the ossec.log file contains the above error.
> >
> > Could anyone help me out with this issue?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com<mailto:ossec-list+...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com<mailto:ossec-list+unsubscribe@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com<mailto:ossec-list+unsubscribe@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">For \
what it's worth, I've seen the same thing happen on our windows agents….tried \
debugging it for weeks & couldn't figure anything out so I just gave up. It \
seemed to be intermittent when I dug into it before.<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#17365D">--<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#17365D">Hal \
Manuel</span></b><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#17365D">Sr. \
Director, Content & Technical Operations<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#17365D">Cengage \
Learning | Questia | Highbeam Research<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> \
ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] <b>On Behalf Of \
</b>Santiago Bassett<br> <b>Sent:</b> Thursday, March 24, 2016 4:51 PM<br>
<b>To:</b> ossec-list@googlegroups.com<br>
<b>Subject:</b> Re: [ossec-list] Re: Ossec-agent: More than 600 seconds without \
server response...sending win32info<o:p></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <div>
<p class="MsoNormal">Could it be a network issue? I would try running tcpdump both on \
the agent and on the manager. It looks like manager responses are not getting to the \
agents somehow.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Mar 24, 2016 at 1:17 PM, Ben <<a \
href="mailto:ben2008@gmail.com" target="_blank">ben2008@gmail.com</a>> \
wrote:<o:p></o:p></p> <blockquote style="border:none;border-left:solid #CCCCCC \
1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in"> <div>
<p class="MsoNormal">Hi, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I got the same issue here, exact same problem with 2.8.3 \
version. Any Help? Thanks.<o:p></o:p></p> <div>
<div>
<p class="MsoNormal"><br>
<br>
On Friday, September 19, 2014 at 7:46:02 AM UTC-4, Chard wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-right:0in"> <div>
<div>
<p class="MsoNormal">Hi All,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Ameya did you ever get a solution to this? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal">As I have the same problem as this, but I have firewalls \
with UDP port 1514 open and the server isn't showing any signs of being overloaded. \
<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My agents can send log files to the <em>ossec server</em> and \
the server can send its shared configuration files to each <em>ossec agen</em>ts. \
Which would mean that the connect between server and client is fine? Yet I still \
get the error message "Ossec-agent: More than 600 seconds without server \
response...sending win32info" on the client side.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Just wondering does the <em>ossec server</em> use a different \
port for some responses dealing with 'win32info'? <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
On Thursday, August 14, 2014 2:27:01 PM UTC+1, dan (ddpbsd) wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-right:0in"> <p class="MsoNormal">On Thu, Aug 14, 2014 \
at 4:31 AM, Ameya Bhatkal <<a \
href="mailto:ame...@gmail.com">ame...@gmail.com</a>> wrote: <br>
> Hi Dan, <br>
> <br>
> The agents are connected. I don't think that the Server is overloaded since <br>
> only 2 workstations are being monitored! <br>
> <br>
<br>
Did you check or just guess? Is there anything in the manager's ossec.log? <br>
<br>
<br>
> <br>
> On Monday, August 11, 2014 7:33:44 AM UTC+5:30, Ameya Bhatkal wrote: <br>
>> <br>
>> Hi Everyone, <br>
>> <br>
>> I am running Ossec HIDS 2.8 on Server mode on Ubuntu 14.04 <br>
>> <br>
>> I have installed around 5-6 Ossec client agents with active response <br>
>> disabled on windows 7 machines. <br>
>> <br>
>> My problem is that my ossec.log file which is present in the Ossec client \
<br> >> machine is filled with the following error messages: <br>
>> <br>
>> "Ossec-agent: More than 600 seconds without server response...sending \
<br> >> win32info" <br>
>> <br>
>> There is no firewall present between the Server and the agents. Every 3rd \
<br> >> or 4th line of the ossec.log file contains the above error. <br>
>> <br>
>> Could anyone help me out with this issue? <br>
> <br>
> -- <br>
> <br>
> --- <br>
> You received this message because you are subscribed to the Google Groups <br>
> "ossec-list" group. <br>
> To unsubscribe from this group and stop receiving emails from it, send an <br>
> email to <a href="mailto:ossec-list+...@googlegroups.com">ossec-list+...@googlegroups.com</a>.
<br>
> For more options, visit <a href="https://groups.google.com/d/optout" \
target="_blank"> https://groups.google.com/d/optout</a>. <o:p></o:p></p>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal">-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com" \
target="_blank">ossec-list+unsubscribe@googlegroups.com</a>.<br> For more \
options, visit <a href="https://groups.google.com/d/optout" target="_blank"> \
https://groups.google.com/d/optout</a>.<o:p></o:p></p> </div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br>
For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<o:p></o:p></p>
</div>
</body>
</html>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic