I have an ossec setup that has about five clients currently (two windows, three linux). This is my test environment for a larger deploy, so I'm hoping to find a solution to this problem. Both Windows clients will connect and serve alerts for a while and will then disconnect. The three linux clients have no troubles connecting (and staying connected).
The server has udp/1514 open to my test network. Both server and clients are running v1.0. The ossec.conf file is as follows: <ossec_config> <client> <!-- IP address of the Ossec HIDS server --> <server-ip>128.153.x.x</server-ip> </client> <!-- One entry for each file to monitor --> <localfile> <location>Application</location> <log_format>eventlog</log_format> </localfile> <localfile> <location>Security</location> <log_format>eventlog</log_format> </localfile> <localfile> <location>System</location> <log_format>eventlog</log_format> </localfile> </ossec_config> <!-- Default syscheck config --> <ossec_config> <syscheck> <frequency>21600</frequency> <directories check_all="yes">C:\WINDOWS,C:\Program Files</directories> </syscheck> </ossec_config> <!-- Updated syscheck config --> <ossec_config> <syscheck> <frequency>21600</frequency> <ignore>standard ignore stuff</ignore> </syscheck> </ossec_config> <!-- IIS log file --> <ossec_config> <localfile> <location>C:\blackboard\logs\httpd\W3SVC2\ex%y%m%d.log</location> <log_format>iis</log_format> </localfile> </ossec_config> <!-- Extra log file --> <ossec_config> <localfile> <location>C:\Windows\pfirewall.log</location> <log_format>syslog</log_format> </localfile> </ossec_config> <!-- Syscheck registry config --> ...standard registry config... The logfile looks like this: 2007/02/14 14:17:19 ossec-agent: No previous counter available for 'hostname'. 2007/02/14 14:17:19 ossec-agent: Assigning counter for agent hostname: '0:0'. 2007/02/14 14:17:19 ossec-agent: Assigning sender counter: 2:891 2007/02/14 14:17:19 ossec-agent: Connecting to server (128.153.x.x:1514). 2007/02/14 14:17:19 ossec-agent: Starting syscheckd thread. 2007/02/14 14:17:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2007/02/14 14:17:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft'. 2007/02/14 14:17:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2007/02/14 14:17:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2007/02/14 14:17:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2007/02/14 14:17:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2007/02/14 14:17:19 ossec-agent: Monitoring directory: 'C:\WINDOWS'. 2007/02/14 14:17:19 ossec-agent: Monitoring directory: 'C:\Program Files'. 2007/02/14 14:17:20 ossec-agent(4102): Connected to the server. 2007/02/14 14:17:20 ossec-agent(1951): Analyzing event log: 'Application'. 2007/02/14 14:17:28 ossec-agent(1951): Analyzing event log: 'Security'. 2007/02/14 15:16:11 ossec-agent: Event count after '20000': 4120746->3471264 (84%) 2007/02/14 16:35:01 ossec-agent: Server unavailable. Setting lock. 2007/02/14 16:35:07 ossec-agent: Server responded. Releasing lock. Any help would be greatly appreciated. -- -- Josh
