Hi Gagan (and everyone else having issues with Windows 2003), I think I have fixed this issue in the following snapshots:
http://www.ossec.net/files/snapshots/ossec-hids-080520.tar.gz http://www.ossec.net/files/snapshots/ossec-win32-080520.exe You would need to update the server first, followed by the agent. Please give it a try and let us know how it goes... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, May 19, 2008 at 8:58 AM, <[EMAIL PROTECTED]> wrote: > > Dear All > > A gentle reminder towards the same problem. Any idea regarding the > same. > > Regards > Gagan > > ---------- Forwarded message ---------- > From: [EMAIL PROTECTED] > Date: May 12, 3:36 pm > Subject: Windows agent problem > To: ossec-list > > > Dear Mailing List > > I am facing the problem with the windows agent on windows 2003 server > having ADS application. > > The agent is showing in the connected state but the events are not > arriving at the HIDS server. > The Logs of agents show the status like. > 2008/05/09 14:39:02 ossec-agent(1410): INFO: Reading authentication > keys file. > > 2008/05/09 14:39:02 ossec-agent: INFO: Assigning sender counter: 0:34 > > 2008/05/09 14:39:04 ossec-agent: INFO: Connecting to server (x.x.x.x: > 1514). > > 2008/05/09 14:39:04 ossec-agent: Starting syscheckd thread. > > 2008/05/09 14:39:04 ossec-rootcheck: INFO: Started (pid: 1764). > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Monitoring directory: 'C: > \WINDOWS/system32'. > > 2008/05/09 14:39:04 ossec-agent: INFO: Started (pid: 1764). > > 2008/05/09 14:39:05 ossec-agent(4102): INFO: Connected to the server. > > 2008/05/09 14:39:05 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > > 2008/05/09 14:39:05 ossec-agent(1951): INFO: Analyzing event log: > 'Security'. > > 2008/05/09 14:39:06 ossec-agent(1951): INFO: Analyzing event log: > 'System'. > > 2008/05/09 14:39:06 ossec-agent: INFO: Started (pid: 1764). > > 2008/05/09 14:39:07 ossec-agent(1123): ERROR: Unable to delete file: > 'shared/ar.conf'. > > 2008/05/09 14:39:07 ossec-agent(1123): ERROR: Unable to delete file: > 'shared/system_audit_rcl.txt'. > > 2008/05/09 16:15:05 ossec-agent: INFO: Event count after '20000': > 8404570->5375848 (63%) > > 2008/05/09 19:07:52 ossec-agent: INFO: Event count after '20000': > 9726045->5926536 (60%) > > Restarting the agent solves the problem but the problem pertains after > some time. > Can any one suggests what is going on. > > Thanks & RegardsGaganBhatia >
