Greetings Daniel: We are using version 1.5.1; currently I'm waiting on 1.6.1 to come out before upgrading so that we have the fixes for the Windows active response system in it.
Yes, it is still happening frequently. Yes, we do receive events from the servers which is what caused the confusion. The following shows no inactive or disconnected servers /var/ossec/bin/agent_control -l | egrep '(Disc|Never)' The following shows everyone is active: /var/ossec/bin/agent_control -l Just now at 8:27 AM EST, 9-26-2008: tail -f ossec.log 2008/09/26 08:21:21 ossec-remoted(1218): ERROR: Unable to send message to 008. 2008/09/26 08:23:41 ossec-remoted(1218): ERROR: Unable to send message to 024. 2008/09/26 08:24:34 ossec-remoted(1218): ERROR: Unable to send message to 016. 2008/09/26 08:26:06 ossec-remoted(1218): ERROR: Unable to send message to 008. 2008/09/26 08:27:40 ossec-remoted(1218): ERROR: Unable to send message to 008. 2008/09/26 08:27:40 ossec-remoted(1218): ERROR: Unable to send message to 016. 2008/09/26 08:27:40 ossec-remoted(1218): ERROR: Unable to send message to 024. 2008/09/26 08:27:41 ossec-remoted(1218): ERROR: Unable to send message to 008. 2008/09/26 08:27:41 ossec-remoted(1218): ERROR: Unable to send message to 016. 2008/09/26 08:27:41 ossec-remoted(1218): ERROR: Unable to send message to 024. All of the above are just Window servers compared to the other agents (rest are RedHat/CentOS). On agent 008, the ossec.log file only has the following entries in it: 2007/08/09 08:55:40 2007/10/30 10:35:25 2007/11/27 20:02:44 2008/05/06 08:36:14 2008/06/20 08:10:20 Agent 008 is not running the Windows firewall (we are behind a firewall for a good number of the servers with the 1514 UDP rule for all of the servers in the racks). Please let me know if you need any other information. Thank you.
