Hi, I thought I was making great progress w/ deploying the OSSEC Windows client & hooking it up to my OSSEC server. I even got the Splunk front end to talk to OSSEC today. I'm really getting some nice data...
BUT! I have one windows server that's giving me an error... I copied the log file data below. Any insights would be appreciated. I'm running the newest version of OSSEC on a Ubuntu 9.10 box. 10.1.100.141 is the OSSEC server's IP... Thank you! ... JLH 2010/04/12 15:54:09 ossec-execd(1350): INFO: Active response disabled. Exiting. 2010/04/12 15:54:09 ossec-agent(1410): INFO: Reading authentication keys file. 2010/04/12 15:54:09 ossec-agent: INFO: No previous counter available for 'lcua17'. 2010/04/12 15:54:09 ossec-agent: INFO: Assigning counter for agent lcua17: '0:0'. 2010/04/12 15:54:09 ossec-agent: INFO: Assigning sender counter: 0:970 2010/04/12 15:54:09 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). 2010/04/12 15:54:09 ossec-agent: Starting syscheckd thread. 2010/04/12 15:54:09 ossec-rootcheck: INFO: Started (pid: 2640). 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager \KnownDLLs'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers \winreg'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunOnce'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunOnceEx'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Policies'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion \Windows'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion \Winlogon'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/win.ini'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/system.ini'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \autoexec.bat'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \config.sys'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \boot.ini'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/CONFIG.NT'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/AUTOEXEC.NT'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/at.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/attrib.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/cacls.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/debug.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/drwatson.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/drwtsn32.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/edlin.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/eventcreate.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/eventtriggers.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/ftp.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/net.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/net1.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/netsh.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/rcp.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/reg.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/regedit.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/regedt32.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/regsvr32.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/rexec.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/rsh.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/runas.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/sc.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/subst.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/telnet.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/tftp.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/tlntsvr.exe'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \WINDOWS/System32/drivers/etc'. 2010/04/12 15:54:09 ossec-agent: INFO: Monitoring directory: 'C: \Documents and Settings/All Users/Start Menu/Programs/Startup'. 2010/04/12 15:54:09 ossec-agent: INFO: Started (pid: 2640). 2010/04/12 15:54:19 ossec-agent: WARN: Process locked. Waiting for permission... 2010/04/12 15:54:30 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.1.100.141'. 2010/04/12 15:54:32 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). 2010/04/12 15:54:53 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.1.100.141'. 2010/04/12 15:55:13 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). 2010/04/12 15:55:34 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.1.100.141'. 2010/04/12 15:56:12 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). 2010/04/12 15:56:33 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.1.100.141'. 2010/04/12 15:57:29 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). 2010/04/12 15:57:50 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.1.100.141'. 2010/04/12 15:59:04 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). 2010/04/12 15:59:25 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.1.100.141'. 2010/04/12 16:00:57 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). 2010/04/12 16:01:18 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.1.100.141'. 2010/04/12 16:03:08 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). 2010/04/12 16:03:29 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '10.1.100.141'. 2010/04/12 16:05:37 ossec-agent: INFO: Trying to connect to server (10.1.100.141:1514). -- To unsubscribe, reply using "remove me" as the subject.
