The IPs listed WERE the same as on the same (and again, this was not happening on just ONE agent - the log file said all agents had incorrectly formatted messages).
I completed removed and reinstalled the server. I also removed and reinstalled the windows desktop agent Now the client log says no server is running 2008/03/03 15:10:10 ossec-agent(1410): Reading authentication keys file. 2008/03/03 15:10:10 ossec-agent: No previous counter available for 'jcbgateway'. 2008/03/03 15:10:10 ossec-agent: Assigning counter for agent jcbgateway: '0:0'. 2008/03/03 15:10:10 ossec-agent: Assigning sender counter: 14:9166 2008/03/03 15:10:10 ossec-agent: Connecting to server (165.91.107.36:1514). 2008/03/03 15:10:10 ossec-agent: Starting syscheckd thread. 2008/03/03 15:10:10 ossec-rootcheck: Started (pid: 1076). 2008/03/03 15:10:10 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2008/03/03 15:10:10 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'. 2008/03/03 15:10:10 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'. 2008/03/03 15:10:10 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. 2008/03/03 15:10:10 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2008/03/03 15:10:10 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2008/03/03 15:10:10 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2008/03/03 15:10:10 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2008/03/03 15:10:10 ossec-agent: Monitoring directory: 'C:\WINDOWS/system32'. 2008/03/03 15:10:10 ossec-agent: Started (pid: 1076). 2008/03/03 15:10:25 ossec-agent(4101): Waiting for server reply (not started). 2008/03/03 15:10:41 ossec-agent(4101): Waiting for server reply (not started). 2008/03/03 15:11:12 ossec-agent(4101): Waiting for server reply (not started). 2008/03/03 15:11:58 ossec-agent(4101): Waiting for server reply (not started). I go to the server and stop/start the processes and it says that the remoted was not running from the stop command. But when I issue the start, it DOES indicate its been started. /var/ossec/bin # /var/ossec/bin/ossec-control stop Killing ossec-monitord .. Killing ossec-logcollector .. ossec-remoted not running .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-execd .. OSSEC HIDS v1.4 Stopped :/var/ossec/bin # /var/ossec/bin/ossec-control start Starting OSSEC HIDS v1.4 (by Daniel B. Cid)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. A PS shows that it is running :/var/ossec/bin # ps -ef|grep ossec root 28505 1 0 Feb07 ? 00:00:00 /var/ossec/bin/ossec-execd ossec 28509 1 0 Feb07 ? 00:30:28 /var/ossec/bin/ossec-analysisd root 28513 1 0 Feb07 ? 00:00:00 /var/ossec/bin/ossec-logcollector ossecr 28518 1 0 Feb07 ? 00:01:05 /var/ossec/bin/ossec-remoted root 28524 1 0 Feb07 ? 00:31:19 /var/ossec/bin/ossec-syscheckd ossec 28528 1 0 Feb07 ? 00:00:02 /var/ossec/bin/ossec-monitord ossecm 10395 1 0 15:04 ? 00:00:00 /var/ossec/bin/ossec-maild root 10399 1 0 15:04 ? 00:00:00 /var/ossec/bin/ossec-execd ossec 10403 1 0 15:04 ? 00:00:00 /var/ossec/bin/ossec-analysisd root 10407 1 0 15:04 ? 00:00:00 /var/ossec/bin/ossec-logcollector root 10416 1 1 15:04 ? 00:00:00 /var/ossec/bin/ossec-syscheckd ossec 10420 1 0 15:04 ? 00:00:00 /var/ossec/bin/ossec-monitord root 10425 10093 0 15:04 pts/0 00:00:00 grep ossec But when I do a list agents it says no agent is available. :/var/ossec/bin # /var/ossec/bin/list_agents -a ** No agent available. Please offer some suggestions. Im not getting much yield out of this thing and it IS taking up lots of time/focus. If I cant identify a solution it will be time to move on to other projects. >>> Michael Starks <[EMAIL PROTECTED]> 2/29/2008 9:00 PM >>> Chuck Braden wrote: > Can someone offer me any suggestions to try on this? The application is > pretty much useless if I am not getting any e-mails out of it. > >>>> "Chuck Braden" <[EMAIL PROTECTED]> 2/27/2008 9:18 AM >>> > > Never since the install of the agent on any windows desktops have I received > any e-mails. I look at the /var/ossec/logs file and it says > ossec-remoted(1403): Incorrectly formated message from > 'client.ip.address.here'. > > Same thing for other IPs that are 'managed'. > > I also noticed the svchost.exe that was associated with the ossec-agent.exe > process was using 50 percent of the CPU this morning. Required a reboot of > the desktop machine to kill. Make sure the IP listed in 'list_agents -a' is the same as the one on the server. If that is correct, it may be a key issue and the easiest thing to do would be to remove and reinstall the agent from both the Windows and OSSEC server.
