That makes sense if the server isn't running. Here's a sampling of the log,
I've truncated the mutex events. The wierd thing was the server was running
and we didn't change anything network wise. Also, I'm seeing servers go
"inactive" on the web interface and then come right back. Is there a
polling related to this?
2007/04/22 02:32:59 ossec-agent(1950): Analyzing file: 'C:\Server'.
2007/04/22 02:32:59 ossec-agent: Started (pid: 2128).
2007/05/01 12:37:03 ossec-agent: Event count after '20000': 3869519->3183320
(82%)
2007/05/11 00:40:29 ossec-agent: Server unavailable. Setting lock.
2007/05/11 00:58:04 ossec-agent: Error waiting mutex (timeout).
2007/05/11 00:58:19 ossec-agent: Error waiting mutex (timeout).
2007/05/11 00:58:34 ossec-agent: Error waiting mutex (timeout).
2007/05/11 00:58:49 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:33:14 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:33:29 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:33:44 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:33:59 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:34:14 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:34:29 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:34:44 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:34:59 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:35:14 ossec-agent: Error waiting mutex (timeout).
2007/06/04 14:35:15 ossec-agent: Server responded. Releasing lock.
2007/06/12 15:40:31 ossec-agent: Received exit signal.
2007/06/12 15:40:31 ossec-agent: Exiting...
2007/06/12 15:40:36 ossec-agent: Assigning counter for agent WINDOWSSERVER:
'74:6011'.
2007/06/12 15:40:36 ossec-agent: Assigning sender counter: 7:212
2007/06/12 15:40:36 ossec-agent: Connecting to server (10.16.4.55:1514).
2007/06/12 15:40:36 ossec-agent: Starting syscheckd thread.
2007/06/12 15:40:36 ossec-agent: Monitoring directory: 'E:\Program Files\EDJ
Enterprises\JAM'.
2007/06/12 15:40:36 ossec-agent: Monitoring directory: 'E:\Program
Files\EXCEPTion 3.1'.
2007/06/12 15:40:36 ossec-agent: Monitoring directory: 'F:\Program Files'.
2007/06/12 15:40:36 ossec-agent: Monitoring directory: 'C:\windows'.
2007/06/12 15:40:51 ossec-agent(4101): Waiting for server reply (not
started).
2007/06/12 15:41:07 ossec-agent(4101): Waiting for server reply (not
started).
2007/06/12 15:41:38 ossec-agent(4101): Waiting for server reply (not
started).
2007/06/12 15:42:09 ossec-agent(4102): Connected to the server.
2007/06/12 15:42:09 ossec-agent(1950): Analyzing file: 'C:\Server'.
2007/06/12 15:42:09 ossec-agent: Started (pid: 5776).
2007/06/12 16:19:01 ossec-agent: Event count after '20000': 4589470->3682264
(80%)
2007/06/26 11:46:11 ossec-agent: Received exit signal.
2007/06/26 11:46:11 ossec-agent: Exiting...
2007/06/26 11:46:16 ossec-agent: Assigning counter for agent WINDOWSSERVER:
'1636:3920'.
2007/06/26 11:46:16 ossec-agent: Assigning sender counter: 10:3434
2007/06/26 11:46:16 ossec-agent: Connecting to server (10.16.4.55:1514).
2007/06/26 11:46:16 ossec-agent: Starting syscheckd thread.
2007/06/26 11:46:16 ossec-agent: Monitoring directory: 'E:\Program Files\EDJ
Enterprises\JAM'.
2007/06/26 11:46:16 ossec-agent: Monitoring directory: 'E:\Program
Files\EXCEPTion 3.1'.
2007/06/26 11:46:16 ossec-agent: Monitoring directory: 'F:\Program Files'.
2007/06/26 11:46:16 ossec-agent: Monitoring directory: 'C:\windows'.
2007/06/26 11:46:31 ossec-agent(4101): Waiting for server reply (not
started).
2007/06/26 11:46:47 ossec-agent(4101): Waiting for server reply (not
started).
2007/06/26 11:47:03 ossec-agent(4102): Connected to the server.
2007/06/26 11:47:03 ossec-agent(1950): Analyzing file: 'C:\Server'.
2007/06/26 11:47:03 ossec-agent: Started (pid: 5600).
2007/06/26 12:26:13 ossec-agent: Event count after '20000': 4526762->3648976
(80%)
And here's the config for the agent.
<!-- Agent Example Configuration -->
<!-- First, change the server-ip to the IP of your OSSEC HIDS server. -->
<!-- Second, add any extra file that you may want to monitor. -->
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>10.16.4.55</server-ip>
</client>
<localfile>
<location>C:\Server</location>
<log_format>syslog</log_format>
</localfile>
</ossec_config>
<ossec_config>
<syscheck>
<frequency>7200</frequency>
</syscheck>
</ossec_config>
<!-- syscheck config -->
<ossec_config>
<syscheck>
<directories check_all="yes">C:\windows</directories>
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/SchedLgU.Txt</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/MsDtc/Trace/dtctrace.log</ignore>
<ignore>C:\WINDOWS/pfirewall.log</ignore>
<ignore>C:\WINDOWS/wiaservc.log</ignore>
<ignore>C:\WINDOWS/setupapi.log</ignore>
<ignore>C:\WINDOWS/LastGood.Tmp</ignore>
<ignore>C:\WINDOWS/LastGood</ignore>
<ignore>C:\WINDOWS/Help</ignore>
<ignore>C:\WINDOWS/Fonts</ignore>
<ignore>C:\WINDOWS/PCHEALTH</ignore>
<ignore>C:\WINDOWS/wiadebug.log</ignore>
<ignore>C:\WINDOWS/system32/CCM</ignore>
<ignore>C:\WINDOWS/system32/VPCache</ignore>
<ignore>C:\WINDOWS/repair/Backup/ServiceState/EventLogs</ignore>
</syscheck>
</ossec_config>
And here's the config for the server..
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[EMAIL PROTECTED]</email_to>
<smtp_server>smtp.company.com</smtp_server>
<email_from>[EMAIL PROTECTED]</email_from>
</global>
<syscheck>
<!-- Frequency that syscheck is executed - default every 2 hours -->
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<!-- Windows files to ignore -->
<ignore>C:\ossi/log</ignore>
<ignore>C:\WINDOWS/randseed.rnd</ignore>
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Cluster</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
<ignore>C:\WINDOWS/Tasks</ignore>
<ignore>C:\WINDOWS/system32/msmq</ignore>
<ignore>C:\WINDOWS/SysWOW64/CCM</ignore>
<ignore>C:\WINDOWS/system32/dhcp</ignore>
<ignore>C:\WINDOWS/security</ignore>
<ignore>C:\WINDOWS/repair</ignore>
<ignore>C:\windows/system32/inetsrv</ignore>
<ignore>C:\windows/system32/MsDtc/MSDTC.LOG</ignore>
<ignore>C:\windows/Microsoft.NET</ignore>
<ignore>C:\windows/assembly/GAC</ignore>
<ignore>C:\windows/ntfrs/jet/log/edbtmp.log</ignore>
<ignore>C:\windows/OEWABLog.txt</ignore>
<ignore>C:\WINNT/system32/CCM</ignore>
<ignore>C:\WINNT/security</ignore>
<ignore>C:\WINNT/randseed.rnd</ignore>
<ignore>C:\WINNT/System32/LogFiles</ignore>
<ignore>C:\WINNT/Debug</ignore>
<ignore>C:\WINNT/WINNTUpdate.log</ignore>
<ignore>C:\WINNT/iis6.log</ignore>
<ignore>C:\WINNT/system32/wbem/Logs</ignore>
<ignore>C:\WINNT/system32/wbem/Repository</ignore>
<ignore>C:\WINNT/Prefetch</ignore>
<ignore>C:\WINNT/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINNT/SoftwareDistribution</ignore>
<ignore>C:\WINNT/Temp</ignore>
<ignore>C:\WINNT/system32/config</ignore>
<ignore>C:\WINNT/system32/spool</ignore>
<ignore>C:\WINNT/system32/CatRoot</ignore>
<ignore>C:\WINNT/Tasks</ignore>
<ignore>C:\WINNT/system32/msmq</ignore>
<ignore>C:\WINNT/SysWOW64/CCM</ignore>
<ignore>C:\WINNT/system32/dhcp</ignore>
<ignore>C:\WINNT/security</ignore>
<ignore>C:\WINNT/BGInfo.bmp</ignore>
<ignore>C:\WINDOWS/BGInfo.bmp</ignore>
<ignore>C:\WINNT/WindowsUpdate.log</ignore>
<ignore>C:\WINNT/repair</ignore>
<ignore>C:\WINNT/AdvPack.log</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>E:\Program Files/EDJ Enterprises/JAM/JAMevent.log</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/etc/httpd/logs/error_log</location>
</localfile>
</ossec_config>
<ossec_config> <!-- rules global entry -->
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
<include>zeus_rules.xml</include>
<include>ossec_rules.xml</include>
<include>local_rules.xml</include>
</rules>
</ossec_config> <!-- rules global entry -->
Hi Rob,
>
> That's expected if the agent can't connect to the server, otherwise
> you have some
> weird error. Can you provide us with your whole ossec.log from the
> agent? Also, if
> you can show us the ossec.conf (of the agent), it can help too.
>
> *which ossec version are you using?
>
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 6/26/07, Rob <[EMAIL PROTECTED]> wrote:
> > I've done a search and didn't find any answers as to why I'm seeing this
> > over and over on the windows agents. Any ideas? It goes away when I
> reboot
> > the ossec server and then recycle the agents themselves. Seems like no
> > alerts go through either.
> >
> > Mix and match of Windows 2000 and 2003 agents.
> >
> >
> > 2007/06/04 14:33:06 ossec-agent: Error waiting mutex (timeout).
> > 2007/06/04 14:33:21 ossec-agent: Error waiting mutex (timeout).
> > 2007/06/04 14:33:36 ossec-agent: Error waiting mutex (timeout).
> >
>
