Hi, I am guessing this is a problem in the configuration of the keys. From the log, the server is saying that the key used by the agent doesn't match what is has in there... Are these systems behind a NAT device? I mean, is the server and the agents all in the same LAN or just the two agents?
Take a look at the following entries in the FAQ: http://www.ossec.net/wiki/index.php/Errors:AgentCommunication http://www.ossec.net/wiki/index.php/Errors:1403 And see if they can help you. If not, please give us the following info: http://www.ossec.net/wiki/index.php/Community_manual:BugReport Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/15/07, Ry Mills <[EMAIL PROTECTED]> wrote: > > > > > My server is setup on Ubuntu. I have 2 Windows XP PC's and 1 W2K server > setup with the Windows client. The first PC I setup works fine. I then setup > the W2K Server and the other XP server and get the Waiting for server reply > response.. All of these systems are on our LAN which doesn't go through a > firewall and firewall is not active on the XP PC's. Any ideas on what might > be causing this? At the very bottom is the server log pertaining to these > two clients. Any ideas on what is going on? > > > > > > XP client Log which does not work > > > > 2007/10/10 14:45:01 ossec-agent: Connecting to server (192.168.2.96:1514). > > 2007/10/10 14:45:01 ossec-agent: Starting syscheckd thread. > > 2007/10/10 14:45:01 ossec-rootcheck: Started (pid: 720). > > 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes'. > > 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft'. > > 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > > 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. > > 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > > 2007/10/10 14:45:01 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > > 2007/10/10 14:45:01 ossec-agent: Monitoring directory: 'C:\WINDOWS'. > > 2007/10/10 14:45:01 ossec-agent: Started (pid: 720). > > 2007/10/10 14:45:16 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:45:32 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:46:03 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:46:49 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:47:50 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:49:06 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:50:37 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:52:23 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:54:24 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:56:40 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 14:59:11 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 15:01:57 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 15:04:58 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 15:08:14 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 15:11:45 ossec-agent(4101): Waiting for server reply (not > started). > > 2007/10/10 15:12:58 ossec-agent: Server unavailable. Setting lock. > > > > > > > > XP client log which does work > > > > 2007/10/05 14:24:24 ossec-agent: Connecting to server (192.168.2.96:1514). > > 2007/10/05 14:24:24 ossec-agent: Starting syscheckd thread. > > 2007/10/05 14:24:24 ossec-rootcheck: Started (pid: 792). > > 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes'. > > 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft'. > > 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > > 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. > > 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > > 2007/10/05 14:24:24 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > > 2007/10/05 14:24:24 ossec-agent: Monitoring directory: 'C:\WINDOWS'. > > 2007/10/05 14:24:24 ossec-agent: Started (pid: 792). > > 2007/10/05 14:24:25 ossec-agent(4102): Connected to the server. > > 2007/10/05 14:24:26 ossec-agent(1951): Analyzing event log: 'Application'. > > 2007/10/05 14:24:29 ossec-agent(1123): Unable to delete file: > 'shared/ar.conf'. > > 2007/10/05 14:24:31 ossec-agent(1951): Analyzing event log: 'Security'. > > 2007/10/05 14:24:33 ossec-agent(1951): Analyzing event log: 'System'. > > 2007/10/05 14:24:36 ossec-agent(1952): Monitoring variable log file: > 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex071005.log'. > > 2007/10/05 14:24:36 ossec-agent(1103): Unable to open file > 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex071005.log'. > > 2007/10/05 14:24:36 ossec-agent(1950): Analyzing file: > 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex071005.log'. > > 2007/10/05 14:24:36 ossec-agent: Started (pid: 792). > > > > > > > > Server Log > > > > Ossec-remoted(1403) : Incorrectly formatted message from IP (This is from my > Windows 2000 Client) > > > > Ossec-remoted(1213) : Message from IP not allowed (This is from my XP > client). As a reminder my XP clients do not run Windows firewall and there > is no firewall between client/server. > > > > Any help would be appreciated. > > Thanks. > >
