Hi Peter, >From your log, it looks like that the agent is working fine, but for some reason losing the connection to the server very often (and reconnecting right away). Are you getting events from this agent? Is there an entry for it at /var/ossec/queue/syscheck ? Is your server reporting that the agent is going down?
It is funny that I saw this already on another Windows 2003 system, but could not reproduce it anywhere else... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/18/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings: > > The steps listed on > http://www.ossec.net/wiki/index.php/Errors:AgentCommunication > worked for a CentOS 5, 64-bit machine; but did not work on Windows > 2003, 64-bit. > > 2007/10/17 21:12:00 ossec-agent: Assigning sender counter: 15:3287 > 2007/10/17 21:12:00 ossec-agent: Connecting to server ([central server > ip]:1514). > 2007/10/17 21:12:00 ossec-agent: Starting syscheckd thread. > 2007/10/17 21:12:00 ossec-rootcheck: Started (pid: 1108). > 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes'. > 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft'. > 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. > 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > 2007/10/17 21:12:00 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > 2007/10/17 21:12:00 ossec-agent: Monitoring directory: 'C:\WINDOWS'. > 2007/10/17 21:12:00 ossec-agent: Started (pid: 1108). > 2007/10/17 21:12:01 ossec-agent(4102): Connected to the server. > 2007/10/17 21:12:01 ossec-agent(1951): Analyzing event log: > 'Application'. > 2007/10/17 22:29:55 ossec-agent: Event count after '20000': 4135462- > >3503968 (84%) > 2007/10/17 23:35:24 ossec-agent: Server unavailable. Setting lock. > 2007/10/17 23:35:25 ossec-agent: Server responded. Releasing lock. > 2007/10/18 00:27:26 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 00:27:29 ossec-agent: Server responded. Releasing lock. > 2007/10/18 01:32:46 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 01:32:47 ossec-agent: Server responded. Releasing lock. > 2007/10/18 02:51:07 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 02:51:08 ossec-agent: Server responded. Releasing lock. > 2007/10/18 03:23:39 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 03:23:42 ossec-agent: Server responded. Releasing lock. > 2007/10/18 03:56:13 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 03:56:14 ossec-agent: Server responded. Releasing lock. > 2007/10/18 05:20:58 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 05:20:59 ossec-agent: Server responded. Releasing lock. > 2007/10/18 06:06:30 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 06:06:33 ossec-agent: Server responded. Releasing lock. > 2007/10/18 06:39:04 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 06:39:05 ossec-agent: Server responded. Releasing lock. > 2007/10/18 07:11:36 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 07:11:39 ossec-agent: Server responded. Releasing lock. > 2007/10/18 07:44:09 ossec-agent: Server unavailable. Setting lock. > 2007/10/18 07:44:12 ossec-agent: Server responded. Releasing lock. > > > How can this be fixed? > > Thank you. > >
