Dear All A gentle reminder towards the same problem. Any idea regarding the same.
Regards Gagan ---------- Forwarded message ---------- From: [EMAIL PROTECTED] Date: May 12, 3:36 pm Subject: Windows agent problem To: ossec-list Dear Mailing List I am facing the problem with the windows agent on windows 2003 server having ADS application. The agent is showing in the connected state but the events are not arriving at the HIDS server. The Logs of agents show the status like. 2008/05/09 14:39:02 ossec-agent(1410): INFO: Reading authentication keys file. 2008/05/09 14:39:02 ossec-agent: INFO: Assigning sender counter: 0:34 2008/05/09 14:39:04 ossec-agent: INFO: Connecting to server (x.x.x.x: 1514). 2008/05/09 14:39:04 ossec-agent: Starting syscheckd thread. 2008/05/09 14:39:04 ossec-rootcheck: INFO: Started (pid: 1764). 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'. 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'. 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/system32'. 2008/05/09 14:39:04 ossec-agent: INFO: Started (pid: 1764). 2008/05/09 14:39:05 ossec-agent(4102): INFO: Connected to the server. 2008/05/09 14:39:05 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2008/05/09 14:39:05 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2008/05/09 14:39:06 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2008/05/09 14:39:06 ossec-agent: INFO: Started (pid: 1764). 2008/05/09 14:39:07 ossec-agent(1123): ERROR: Unable to delete file: 'shared/ar.conf'. 2008/05/09 14:39:07 ossec-agent(1123): ERROR: Unable to delete file: 'shared/system_audit_rcl.txt'. 2008/05/09 16:15:05 ossec-agent: INFO: Event count after '20000': 8404570->5375848 (63%) 2008/05/09 19:07:52 ossec-agent: INFO: Event count after '20000': 9726045->5926536 (60%) Restarting the agent solves the problem but the problem pertains after some time. Can any one suggests what is going on. Thanks & RegardsGaganBhatia
