Here is the debug, set to level "2" for both the MS Agent and the OSSEC server:
2007/05/23 15:42:09 ossec-agent: DEBUG: Reading agent configuration. 2007/05/23 15:42:09 ossec-agent: DEBUG: Reading logcollector configuration. 2007/05/23 15:42:09 ossec-agent: DEBUG: Reading private keys. 2007/05/23 15:42:09 ossec-agent: No previous counter available for 'den-ev-00'. 2007/05/23 15:42:09 ossec-agent: Assigning counter for agent den-ev-00: '0:0'. 2007/05/23 15:42:09 ossec-agent: Assigning sender counter: 0:32 2007/05/23 15:42:09 ossec-agent: Connecting to server (172.16.17.205:1514). 2007/05/23 15:42:09 ossec-agent: DEBUG: Creating thread mutex. 2007/05/23 15:42:09 ossec-agent: Starting syscheckd thread. 2007/05/23 15:42:09 ossec-agent: Starting ... 2007/05/23 15:42:09 ossec-rootcheck: Started (pid: 3548). 2007/05/23 15:42:09 ossec-agent: Starting queue ... 2007/05/23 15:42:09 ossec-agent: Connecting to server (172.16.17.205:1514). 2007/05/23 15:42:09 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2007/05/23 15:42:09 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft'. 2007/05/23 15:42:09 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2007/05/23 15:42:09 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2007/05/23 15:42:09 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2007/05/23 15:42:09 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2007/05/23 15:42:09 ossec-agent: Monitoring directory: 'D:\WINDOWS'. 2007/05/23 15:42:09 ossec-agent: Started (pid: 3548). 2007/05/23 15:42:24 ossec-agent(4101): Waiting for server reply (not started). 2007/05/23 15:42:26 ossec-agent(4102): Connected to the server. 2007/05/23 15:42:26 ossec-agent: DEBUG: Sending keep alive message. 2007/05/23 15:42:26 ossec-agent: DEBUG: Sending keep alive: #!-Microsoft Windows XP Professional x64 Edition Service Pack 2 (Build 3790) d41d8cd98f00b204e9800998ecf8427e ar.conf 83bd653bf7f3ff1d5702dda24bdb8c61 rootkit_files.txt d6e390753464a48796c62967ef037e9b rootkit_trojans.txt 2007/05/23 15:42:26 ossec-agent: DEBUG: Entering LogCollectorStart(). 2007/05/23 15:42:26 ossec-agent(1951): Analyzing event log: 'Application'. 2007/05/23 15:42:27 ossec-agent(1951): Analyzing event log: 'Security'. 2007/05/23 15:43:17 ossec-monitord(1225): SIGNAL Received. Exit Cleaning... 2007/05/23 15:43:17 ossec-logcollector(1225): SIGNAL Received. Exit Cleaning... 2007/05/23 15:43:17 ossec-remoted(1225): SIGNAL Received. Exit Cleaning... 2007/05/23 15:43:17 ossec-syscheckd(1225): SIGNAL Received. Exit Cleaning... 2007/05/23 15:43:17 ossec-analysisd(1225): SIGNAL Received. Exit Cleaning... 2007/05/23 15:43:17 ossec-maild(1225): SIGNAL Received. Exit Cleaning... 2007/05/23 15:43:51 ossec-analysisd(1227): Error applying XML variables: 'invalid/unknown sender domain.'. 2007/05/23 15:43:51 ossec-analysisd(1220): Error loading the rules: 'postfix_rules.xml'. 2007/05/23 15:43:55 ossec-analysisd(1227): Error applying XML variables: 'Multiple Windows error events.'. 2007/05/23 15:43:55 ossec-analysisd(1220): Error loading the rules: 'msauth_rules.xml'. 2007/05/23 15:44:00 ossec-analysisd(1227): Error applying XML variables: '^http://kh.google.com/flatfile'. 2007/05/23 15:44:00 ossec-analysisd(1220): Error loading the rules: 'squid_rules.xml'. 2007/05/23 15:44:04 ossec-maild: Started (pid: 8245). 2007/05/23 15:44:04 ossec-execd(1350): Active response disabled. Exiting. 2007/05/23 15:44:04 ossec-logcollector: DEBUG: Waiting main daemons to settle. 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'rules_config.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'pam_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'sshd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'telnetd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'syslog_rules.xml' 2007/05/23 15:44:04 ossec-remoted: Started (pid: 17578). 2007/05/23 15:44:04 ossec-remoted(1501): No IP or network allowed in the access list for syslog. No reason for running it. Exiting. 2007/05/23 15:44:04 ossec-remoted: Started (pid: 6851). 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'arpwatch_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'symantec-av_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'pix_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'named_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'smbd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'vsftpd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'pure-ftpd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'proftpd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'ms_ftpd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'hordeimp_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'vpopmail_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'web_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'apache_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'ids_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'squid_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'firewall_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'netscreenfw_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'postfix_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'sendmail_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'imapd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'mailscanner_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'ms-exchange_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'racoon_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'vpn_concentrator_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'spamd_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'msauth_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'attack_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'zeus_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'ossec_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Reading rules file: 'local_rules.xml' 2007/05/23 15:44:04 ossec-analysisd: Total rules enabled: '559' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/mtab' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/mnttab' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/hosts.deny' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/mail/statistics' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/random-seed' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/adjtime' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/httpd/logs' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/utmpx' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/wtmpx' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: '/etc/cups/certs' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/System32/LogFiles' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Debug' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/WindowsUpdate.log' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/iis6.log' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/wbem/Logs' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/wbem/Repository' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Prefetch' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/SoftwareDistribution' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/Temp' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/config' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/spool' 2007/05/23 15:44:04 ossec-analysisd: Ignoring file: 'C:\WINDOWS/system32/CatRoot' 2007/05/23 15:44:04 ossec-analysisd: Started (pid: 25740). 2007/05/23 15:44:05 ossec-remoted: No previous counter available for 'den-ev-00'. 2007/05/23 15:44:05 ossec-remoted: Assigning counter for agent den-ev-00: '0:0'. 2007/05/23 15:44:05 ossec-remoted: Assigning sender counter: 0:10 2007/05/23 15:44:05 ossec-monitord: Started (pid: 6215). 2007/05/23 15:44:07 ossec-syscheckd: Started (pid: 8239). 2007/05/23 15:44:07 ossec-rootcheck: Started (pid: 8239). 2007/05/23 15:44:10 ossec-logcollector: (unix_domain) Maximum send buffer set to: '6400'. 2007/05/23 15:44:10 ossec-logcollector: DEBUG: Entering LogCollectorStart(). 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/log/messages'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/log/authlog'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/log/secure'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/log/userlog'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/log/xferlog'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/log/mail.info'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/log/maillog'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/www/logs/access_log'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/var/www/logs/error_log'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/syslog/firewall/asa'. 2007/05/23 15:44:10 ossec-logcollector(1950): Analyzing file: '/syslog/firewall/pix'. 2007/05/23 15:44:10 ossec-logcollector: Started (pid: 29005). -- Ed Vazquez You don't have to know how the computer works, just how to work the computer. 23 May 2007 15:42:41
smime.p7s
Description: S/MIME cryptographic signature
