Hi Joshua,
From your logs, it shows that the client was only disconnected once
for a very short period (less than 7 seconds). It may have happened if you
restarted your ossec server or the network was down (or very busy) during
that period.
2007/02/14 14:17:28 ossec-agent(1951): Analyzing event log: 'Security'.
2007/02/14 15:16:11 ossec-agent: Event count after '20000':
4120746->3471264 (84%)
2007/02/14 16:35:01 ossec-agent: Server unavailable. Setting lock.
2007/02/14 16:35:07 ossec-agent: Server responded. Releasing lock.
Did it happened more than once after that? Did your ossec server alerted
that the agent was disconnected? --it shouldn't, because of the small period..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/14/07, Joshua Fiske <[EMAIL PROTECTED]> wrote:
I have an ossec setup that has about five clients currently (two windows,
three linux). This is my test environment for a larger deploy, so I'm
hoping to find a solution to this problem. Both Windows clients will
connect and serve alerts for a while and will then disconnect. The three
linux clients have no troubles connecting (and staying connected).
The server has udp/1514 open to my test network. Both server and clients
are running v1.0.
The ossec.conf file is as follows:
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>128.153.x.x</server-ip>
</client>
<!-- One entry for each file to monitor -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
</ossec_config>
<!-- Default syscheck config -->
<ossec_config>
<syscheck>
<frequency>21600</frequency>
<directories check_all="yes">C:\WINDOWS,C:\Program
Files</directories>
</syscheck>
</ossec_config>
<!-- Updated syscheck config -->
<ossec_config>
<syscheck>
<frequency>21600</frequency>
<ignore>standard ignore stuff</ignore>
</syscheck>
</ossec_config>
<!-- IIS log file -->
<ossec_config>
<localfile>
<location>C:\blackboard\logs\httpd\W3SVC2\ex%y%m%d.log</location>
<log_format>iis</log_format>
</localfile>
</ossec_config>
<!-- Extra log file -->
<ossec_config>
<localfile>
<location>C:\Windows\pfirewall.log</location>
<log_format>syslog</log_format>
</localfile>
</ossec_config>
<!-- Syscheck registry config -->
...standard registry config...
The logfile looks like this:
2007/02/14 14:17:19 ossec-agent: No previous counter available for
'hostname'.
2007/02/14 14:17:19 ossec-agent: Assigning counter for agent hostname:
'0:0'.
2007/02/14 14:17:19 ossec-agent: Assigning sender counter: 2:891
2007/02/14 14:17:19 ossec-agent: Connecting to server (128.153.x.x:1514).
2007/02/14 14:17:19 ossec-agent: Starting syscheckd thread.
2007/02/14 14:17:19 ossec-agent: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Software\Classes'.
2007/02/14 14:17:19 ossec-agent: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Software\Microsoft'.
2007/02/14 14:17:19 ossec-agent: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Software\Policies'.
2007/02/14 14:17:19 ossec-agent: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
2007/02/14 14:17:19 ossec-agent: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2007/02/14 14:17:19 ossec-agent: Monitoring registry entry:
'HKEY_LOCAL_MACHINE\Security'.
2007/02/14 14:17:19 ossec-agent: Monitoring directory: 'C:\WINDOWS'.
2007/02/14 14:17:19 ossec-agent: Monitoring directory: 'C:\Program Files'.
2007/02/14 14:17:20 ossec-agent(4102): Connected to the server.
2007/02/14 14:17:20 ossec-agent(1951): Analyzing event log: 'Application'.
2007/02/14 14:17:28 ossec-agent(1951): Analyzing event log: 'Security'.
2007/02/14 15:16:11 ossec-agent: Event count after '20000': 4120746->3471264
(84%)
2007/02/14 16:35:01 ossec-agent: Server unavailable. Setting lock.
2007/02/14 16:35:07 ossec-agent: Server responded. Releasing lock.
Any help would be greatly appreciated.
--
-- Josh
