Hi Michael, If you are not getting anything on the manager's ossec.log, it means that the traffic is not getting through (otherwise it would complain about it).
-Can you check if there is any firewall in the middle (or on the end points)? -If you run tcpdump on the manager, do you see the traffic coming in? -Do you have other agents in there? Are they working? *Alessandro: thanks for the report. I will fix it :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Apr 27, 2010 at 5:54 PM, Michael Barrett <[email protected]> wrote: > OK thanks for that tip > > I modified the short cut to C:\Program Files (x86) and now the manager > works > > Agent still cannot connect to the server though. > > 2010/04/27 15:48:25 ossec-agent: INFO: Started (pid: 852). > > 2010/04/27 15:48:35 ossec-agent: WARN: Process locked. Waiting for > permission... > > 2010/04/27 15:48:46 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '144.122.190.48'. > > 2010/04/27 15:48:48 ossec-agent: INFO: Trying to connect to server > (144.122.190.48:1514). > > 2010/04/27 15:49:09 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '144.122.190.48'. > > 2010/04/27 15:49:29 ossec-agent: INFO: Trying to connect to server > (144.122.190.48:1514). > > 2010/04/27 15:49:50 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '144.122.190.48'. > > 2010/04/27 15:50:28 ossec-agent: INFO: Trying to connect to server > (144.122.190.48:1514). > > 2010/04/27 15:50:49 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '144.122.190.48'. > > 2010/04/27 15:51:45 ossec-agent: INFO: Trying to connect to server > (144.122.190.48:1514). > > 2010/04/27 15:52:06 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '144.122.190.48'. > > 2010/04/27 15:53:20 ossec-agent: INFO: Trying to connect to server > (144.122.190.48:1514). > > 2010/04/27 15:53:41 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '144.122.190.48'. > > > > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > > “Accomplishing the impossible means only that your boss will add it to your > regular duties” Doug Larson > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > |------------> > | From: | > |------------> > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |Alessandro Di Giuseppe <[email protected]> > | > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | To: | > |------------> > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |[email protected] > | > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Date: | > |------------> > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |04/27/2010 01:37 PM > | > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Subject: | > |------------> > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |Re: [ossec-list] Having problem with install on 64bit system > | > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Sent by: | > |------------> > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |[email protected] > | > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > > > > > > I've found that the UI management app won't work if installed anywhere but > the default path of "C:\Program Files\ossec-agent\". > > When I configured the OSSEC agent during installation to "D:\Program Files > \ossec-agent\" and had this issue as well; I bet you're issue is similar > because 32 bit apps on 64 bit Windows systems are installed in "C:\Program > Files (x86)\". > > It seems that the OSSEC Windows agent installer is hard-coded with > "C:\Program Files\ossec-agent" for the shortcut to the programs regardless > of the actual installation path. > > Bug fix request for Mr. Cid? > ;-) > > Regards, > > Alessandro > > From: Michael Barrett <[email protected]> > To: [email protected] > Sent: Tue, April 27, 2010 1:37:44 PM > Subject: Re: [ossec-list] Having problem with install on 64bit system > > Also the manage agent UI doesn't work, I don't know if that helps or hurts. > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > > “Accomplishing the impossible means only that your boss will add it to your > regular duties” Doug Larson > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > |------------> > | From: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |Daniel Cid <[email protected]> > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |------------> > | To: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |[email protected] > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |------------> > | Date: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |04/26/2010 09:49 AM > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |------------> > | Subject: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |Re: [ossec-list] Having problem with install on 64bit system > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |------------> > | Sent by: | > |------------> > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > |[email protected] > | > >>--------------------------------------------------------------------------------------------------------------------------------------------------| > > > > > > > Hi Michael, > > Do you get any errors on the manager's ossec.log file? Check there as > well.. > > thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Thu, Apr 22, 2010 at 11:05 AM, Michael Barrett > <[email protected]> wrote: >> I am having an issue with one of my systems. This is OSSEC Windows > version >> 2.2 on Windows Sever 2003 64bit >> >> I have tried the install via the setup program as well as copying the > files >> from another server and updating the client.keys file and manually > creating >> the service. >> >> I also tried to remove the agent from the server and recreate the key. >> >> No matter what I do the agent cannot connect to the server. >> >> Is there something I am missing? >> >> 2010/04/22 08:54:02 ossec-agent(1905): INFO: No file configured to > monitor. >> >> 2010/04/22 08:54:02 ossec-execd(1350): INFO: Active response disabled. >> Exiting. >> >> 2010/04/22 08:54:02 ossec-agent(1410): INFO: Reading authentication keys >> file. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Trying to connect to server >> (144.122.190.48:1514). >> >> 2010/04/22 08:54:02 ossec-agent: Starting syscheckd thread. >> >> 2010/04/22 08:54:02 ossec-rootcheck: INFO: Started (pid: 308). >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Policies'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Software\Classes'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: >> 'HKEY_LOCAL_MACHINE\Security'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring directory: >> 'C:\WINDOWS/system32'. >> >> 2010/04/22 08:54:02 ossec-agent: INFO: Started (pid: 308). >> >> 2010/04/22 08:54:13 ossec-agent: WARN: Process locked. Waiting for >> permission... >> ____________________________________________ >> Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty >> Insurance Corporation >> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 >> 1.888.601.4440 | * [email protected] >> >> >> “Accomplishing the impossible means only that your boss will add it to > your >> regular duties” Doug Larson >> >> This message is intended for use only by the person(s) addressed above > and >> may contain privileged and confidential information. Disclosure or use of >> this message by any other person is strictly prohibited. If this message > is >> received in error, please notify the sender immediately and delete this >> message. >> >> -- >> Subscription settings: > http://groups.google.com/group/ossec-list/subscribe?hl=en >> > > >
