On Wed, Aug 2, 2017 at 7:19 AM, Stephen Crow <stepheng.c...@gmail.com> wrote: > can this be changed to use TCP instead of UDP? i have the same issue but i > dont think changing the default buffer size is a good idea >
Yes, just add tcp support to agentd and remoted. Wazuh may already have this, I'm not positive. > On Monday, 10 July 2017 12:34:48 UTC+1, Victor Fernandez wrote: >> >> Hi Ricardo, >> >> in this case it's probable that the Windows agent is dropping UDP packages >> from the manager due to overflow. The default UDP buffer size in Linux is >> 212992 (208 KiB) but I think that in Windows it is only 8 KiB. OSSEC resizes >> the buffer to 6 KiB (the maximum message length) when the default size is >> less than 6 KiB. >> >> File ar.conf comes in the merged.mg. Try to send a very little shared file >> (remove every file in the manager's /var/ossec/etc/shared except ar.conf), >> restart the manager and then restart the agent. >> >> You may also try to increase the network buffer size in Windows. This may >> help you: http://smallvoid.com/article/winnt-winsock-buffer.html. >> >> Best regards. >> >> On Fri, Jul 7, 2017 at 10:08 AM, Ricardo Galossi <chacal...@gmail.com> >> wrote: >>> >>> Hi Victor, >>> >>> Thanks for your reply. I did everything you told me, but the error >>> persist. I continuous receiving many logs as below: >>> >>> ossec-agentd: Failed md5 for: shared/merged.mg -- deleting. >>> >>> A new thing that I realized is that the file ar.conf is not present in >>> windows agent installation directory too, I tried to restart the agent >>> remotely and saw it. After I enable debug on the windows agent I was able to >>> see this log: >>> >>> ossec-agent: DEBUG: Sending keep alive: #!-Microsoft Windows Server 2012 >>> Datacenter Edition (full) (Build 9200) - OSSEC HIDS v2.9.0 / >>> e204e0200d4f36c5c80b071e2e1ef79b >>> x merged.mg >>> >>> The point is, this checksum is not the same of agent.conf or merged.mg on >>> ossec server. I kinda gave up about this and tried to do everything >>> manually, I created agent.conf in blank within C:\Program Files >>> (x86)\ossec-agent\shared directory and restart the agent, in the log file >>> the error (ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File >>> 'shared/agent.conf' not found) isn't being shown anymore, but the agent.conf >>> doesn't synchronize, it remains in blank. >>> >>> I don't know what to do anymore, reinstalled the agent and the server, >>> tried in different windows installations and tried with ossec 2.8.3, but the >>> problem remains. The funny point is that it only happens on Windows agents, >>> on Linux agents everything works perfectly. >>> >>> If I copy the content of agent.conf from the server to the windows agent, >>> everything works. But I don't know if it can bring me some problem in the >>> future. >>> >>> Em segunda-feira, 3 de julho de 2017 11:39:52 UTC-3, Victor Fernandez >>> escreveu: >>>> >>>> Hi, >>>> >>>> it is strange that the log indicates line 147 when it was not able to >>>> read it. Maybe the agent.conf file is not arriving to the agent or it is >>>> being discarded due to a checksum error. >>>> >>>> First, please remove file merged.mg from folder shared in the agent and >>>> the manager. Then enable debugging log in order to know where the problem >>>> is. >>>> >>>> On the manager: >>>> >>>> /var/ossec/bin/ossec-control enable debug >>>> /var/ossec/bin/ossec-control restart >>>> >>>> >>>> On the agent, add this line to file local_internal_options.conf: >>>> >>>> windows.debug=1 >>>> >>>> >>>> and restart the agent. When it gets connected, the manager should log a >>>> message like: >>>> >>>> ossec-remoted: Sending file 'merged.mg' to agent. >>>> >>>> >>>> and that file should appear immediately in the agent (folder shared). >>>> After few seconds, when the file is completely delivered, it should be >>>> unmerged into every file that exists in the manager's shared folder. >>>> >>>> A common issue is that the file doesn't arrive properly (e.g. some >>>> packets were lost or corrupted) the file merged.mg will disappear suddenly >>>> and the Windows agent should log: >>>> >>>> ossec-agent: Failed md5 for: merged.mg -- deleting. >>>> >>>> >>>> In this case, the manager will retry to send the file every 10 minutes. >>>> >>>> But as I mentioned before, an error message about reading file that >>>> indicates a line different from 0 has no sense. However I hope this help >>>> you. >>>> >>>> Best regards. >>>> >>>> >>>> >>>> On Mon, Jul 3, 2017 at 11:44 AM, Jesus Linares <je...@wazuh.com> wrote: >>>>> >>>>> Hi >>>>> >>>>>> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': >>>>>> XMLERR: File 'shared/agent.conf' not found. (line 147). >>>>> >>>>> >>>>> what is in the line 147?. >>>>> >>>>> More information about the agent.conf and the process to synchronize >>>>> it: >>>>> https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html >>>>> >>>>> I hope it helps. >>>>> Regards. >>>>> >>>>> On Sunday, July 2, 2017 at 3:30:07 AM UTC+2, Ricardo Galossi wrote: >>>>>> >>>>>> Hi guys, >>>>>> >>>>>> I'd like to ask for some help here.. >>>>>> >>>>>> My windows agents are not synchronizing shared/agent.conf, within >>>>>> C:\Program Files (x86)\ossec-agent\shared direrectory there is no >>>>>> agent.conf >>>>>> even after restarting windows agent. Follow my agent.cong below: >>>>>> >>>>>> <agent_config> >>>>>> <syscheck> >>>>>> <directories realtime="yes" >>>>>> check_all="yes">C:\labtest</directories> >>>>>> </syscheck> >>>>>> </agent_config> >>>>>> >>>>>> In the agent log file I receive the following message: >>>>>> >>>>>> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': >>>>>> XMLERR: File 'shared/agent.conf' not found. (line 147). >>>>>> >>>>>> If I create the file agent.conf manually the configuration works (what >>>>>> proof that the configuration is ok), but also doesn't synchronize if i >>>>>> try >>>>>> to change it. >>>>>> >>>>>> Am I making some mistake? Please, help me!! >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> >>>> >>>> -- >>>> Victor M. Fernandez-Castro >>>> IT Security Engineer >>>> Wazuh Inc. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> -- >> Victor M. Fernandez-Castro >> IT Security Engineer >> Wazuh Inc. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.