Hi Thiago, the previous messages "Event count after '20000':" make me think that your system is receiving a large amount of Syscheck events in real-time.
I think that the error "real time call back called, but 0 bytes" happens only in Windows agents when the internal Windows directory monitor reports an error. Unfortunately the error message is not more descriptive, but maybe the issue is that there are too much changes at monitored files and the system is unable to handle them all. I would suggest you to unset the realtime="yes" option from file ossec.conf for non-critical files, or files that are supposed to change too often (like logs). I will try to reproduce this problem and write back to you if I get more information. Hope it help. Best regards. On Friday, March 10, 2017 at 12:46:09 PM UTC-8, Thiago Campos wrote: > > Hi all! > > I'm having an error on windows agent and real time monitoring appears not > working properly. i have had searched about this error but i'm not finding > any clue for that issue. > > Any help is welcome. Thanks. > > ------ ossec.log ------- > 2017/03/10 16:40:41 ossec-agent: INFO: Started (pid: 12060). > 2017/03/10 16:41:13 ossec-agent: INFO: Starting syscheck scan (forwarding > database). > 2017/03/10 16:41:13 ossec-agent: INFO: Starting syscheck database > (pre-scan). > 2017/03/10 16:45:51 ossec-agent: INFO: Initializing real time file > monitoring (not started). > 2017/03/10 16:46:39 ossec-agent: INFO: Event count after '20000': > 4627336->3894552 (84%) > 2017/03/10 16:49:39 ossec-agent: INFO: Event count after '20000': > 4690104->3989920 (85%) > 2017/03/10 16:53:51 ossec-agent: INFO: Event count after '20000': > 4677575->3959152 (84%) > 2017/03/10 16:57:58 ossec-agent: INFO: Event count after '20000': > 4320003->3598760 (83%) > 2017/03/10 17:01:38 ossec-agent: INFO: Event count after '20000': > 4023516->3354320 (83%) > 2017/03/10 17:06:28 ossec-agent: INFO: Event count after '20000': > 4344369->3684992 (84%) > 2017/03/10 17:08:55 ossec-agent: INFO: Real time file monitoring started. > 2017/03/10 17:08:55 ossec-agent: INFO: Finished creating syscheck database > (pre-scan completed). > 2017/03/10 17:09:05 ossec-agent: INFO: Ending syscheck scan (forwarding > database). > 2017/03/10 17:09:15 ossec-agent: INFO: Starting rootcheck scan. > 2017/03/10 17:09:22 ossec-agent: INFO: Ending rootcheck scan. > 2017/03/10 17:09:22 ossec-agent: *ERROR: real time call back called, but > 0 bytes*. > 2017/03/10 17:09:22 ossec-agent: *ERROR: real time call back called, but > 0 bytes.* > ----------------------------- > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
