Hi Victor, Thanks for your reply. I did everything you told me, but the error persist. I continuous receiving many logs as below:
ossec-agentd: Failed md5 for: shared/merged.mg -- deleting. A new thing that I realized is that the file ar.conf is not present in windows agent installation directory too, I tried to restart the agent remotely and saw it. After I enable debug on the windows agent I was able to see this log: ossec-agent: DEBUG: Sending keep alive: #!-Microsoft Windows Server 2012 Datacenter Edition (full) (Build 9200) - OSSEC HIDS v2.9.0 / e204e0200d4f36c5c80b071e2e1ef79b x merged.mg The point is, this checksum is not the same of agent.conf or merged.mg on ossec server. I kinda gave up about this and tried to do everything manually, I created agent.conf in blank within C:\Program Files (x86)\ossec-agent\shared directory and restart the agent, in the log file the error (ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File 'shared/agent.conf' not found) isn't being shown anymore, but the agent.conf doesn't synchronize, it remains in blank. I don't know what to do anymore, reinstalled the agent and the server, tried in different windows installations and tried with ossec 2.8.3, but the problem remains. The funny point is that it only happens on Windows agents, on Linux agents everything works perfectly. If I copy the content of agent.conf from the server to the windows agent, everything works. But I don't know if it can bring me some problem in the future. Em segunda-feira, 3 de julho de 2017 11:39:52 UTC-3, Victor Fernandez escreveu: > > Hi, > > it is strange that the log indicates line 147 when it was not able to read > it. Maybe the agent.conf file is not arriving to the agent or it is being > discarded due to a checksum error. > > First, please remove file *merged.mg <http://merged.mg>* from folder > *shared* in the agent and the manager. Then enable debugging log in order > to know where the problem is. > > - On the manager: > > /var/ossec/bin/ossec-control enable debug > /var/ossec/bin/ossec-control restart > > > > - On the agent, add this line to file *local_internal_options.conf*: > > windows.debug=1 > > > and restart the agent. When it gets connected, the manager should log a > message like: > > ossec-remoted: Sending file 'merged.mg' to agent. > > > and that file should appear immediately in the agent (folder *shared*). > After few seconds, when the file is completely delivered, it should be > unmerged into every file that exists in the manager's shared folder. > > A common issue is that the file doesn't arrive properly (e.g. some packets > were lost or corrupted) the file *merged.mg <http://merged.mg>* will > disappear suddenly and the Windows agent should log: > > ossec-agent: Failed md5 for: merged.mg -- deleting. > > > In this case, the manager will retry to send the file every 10 minutes. > > But as I mentioned before, an error message about reading file that > indicates a line different from 0 has no sense. However I hope this help > you. > > Best regards. > > > > On Mon, Jul 3, 2017 at 11:44 AM, Jesus Linares <je...@wazuh.com > <javascript:>> wrote: > >> Hi >> >> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': >>> XMLERR: File 'shared/agent.conf' not found. (line 147). >> >> >> what is in the line 147?. >> >> More information about the agent.conf and the process to synchronize it: >> https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html >> >> >> I hope it helps. >> Regards. >> >> On Sunday, July 2, 2017 at 3:30:07 AM UTC+2, Ricardo Galossi wrote: >>> >>> Hi guys, >>> >>> I'd like to ask for some help here.. >>> >>> My windows agents are not synchronizing shared/agent.conf, >>> within C:\Program Files (x86)\ossec-agent\shared direrectory there is no >>> agent.conf even after restarting windows agent. Follow my agent.cong below: >>> >>> <agent_config> >>> <syscheck> >>> <directories realtime="yes" >>> check_all="yes">C:\labtest</directories> >>> </syscheck> >>> </agent_config> >>> >>> In the agent log file I receive the following message: >>> >>> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': >>> XMLERR: File 'shared/agent.conf' not found. (line 147). >>> >>> If I create the file agent.conf manually the configuration works (what >>> proof that the configuration is ok), but also doesn't synchronize if i try >>> to change it. >>> >>> Am I making some mistake? Please, help me!! >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Victor M. Fernandez-Castro > IT Security Engineer > Wazuh Inc. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
