Hi Daniel, *Thank you* for this excellent tool, OSSEC is really fantastic and you are to be commended for it.
I hope make some sort of contribution, how can average OSSEC user like me best contribute back to the project? What is most needed at this stage? (Documentation?) Thanks, Alessandro On 2010-04-28, at 15:12, Daniel Cid <[email protected]> wrote: Hi Michael, If you are not getting anything on the manager's ossec.log, it means that the traffic is not getting through (otherwise it would complain about it). -Can you check if there is any firewall in the middle (or on the end points)? -If you run tcpdump on the manager, do you see the traffic coming in? -Do you have other agents in there? Are they working? *Alessandro: thanks for the report. I will fix it :) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Apr 27, 2010 at 5:54 PM, Michael Barrett <[email protected]> wrote: OK thanks for that tip I modified the short cut to C:\Program Files (x86) and now the manager works Agent still cannot connect to the server though. 2010/04/27 15:48:25 ossec-agent: INFO: Started (pid: 852). 2010/04/27 15:48:35 ossec-agent: WARN: Process locked. Waiting for permission... 2010/04/27 15:48:46 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '144.122.190.48'. 2010/04/27 15:48:48 ossec-agent: INFO: Trying to connect to server (144.122.190.48:1514). 2010/04/27 15:49:09 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '144.122.190.48'. 2010/04/27 15:49:29 ossec-agent: INFO: Trying to connect to server (144.122.190.48:1514). 2010/04/27 15:49:50 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '144.122.190.48'. 2010/04/27 15:50:28 ossec-agent: INFO: Trying to connect to server (144.122.190.48:1514). 2010/04/27 15:50:49 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '144.122.190.48'. 2010/04/27 15:51:45 ossec-agent: INFO: Trying to connect to server (144.122.190.48:1514). 2010/04/27 15:52:06 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '144.122.190.48'. 2010/04/27 15:53:20 ossec-agent: INFO: Trying to connect to server (144.122.190.48:1514). 2010/04/27 15:53:41 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '144.122.190.48'. ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected] “Accomplishing the impossible means only that your boss will add it to your regular duties” Doug Larson This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. |------------> | From: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |Alessandro Di Giuseppe <[email protected]> | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |04/27/2010 01:37 PM | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [ossec-list] Having problem with install on 64bit system | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | --------------------------------------------------------------------------------------------------------------------------------------------------| I've found that the UI management app won't work if installed anywhere but the default path of "C:\Program Files\ossec-agent\". When I configured the OSSEC agent during installation to "D:\Program Files \ossec-agent\" and had this issue as well; I bet you're issue is similar because 32 bit apps on 64 bit Windows systems are installed in "C:\Program Files (x86)\". It seems that the OSSEC Windows agent installer is hard-coded with "C:\Program Files\ossec-agent" for the shortcut to the programs regardless of the actual installation path. Bug fix request for Mr. Cid? ;-) Regards, Alessandro From: Michael Barrett <[email protected]> To: [email protected] Sent: Tue, April 27, 2010 1:37:44 PM Subject: Re: [ossec-list] Having problem with install on 64bit system Also the manage agent UI doesn't work, I don't know if that helps or hurts. ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected] “Accomplishing the impossible means only that your boss will add it to your regular duties” Doug Larson This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. |------------> | From: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |Daniel Cid <[email protected]> | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |04/26/2010 09:49 AM | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [ossec-list] Having problem with install on 64bit system | --------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> --------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | --------------------------------------------------------------------------------------------------------------------------------------------------| Hi Michael, Do you get any errors on the manager's ossec.log file? Check there as well.. thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Apr 22, 2010 at 11:05 AM, Michael Barrett <[email protected]> wrote: I am having an issue with one of my systems. This is OSSEC Windows version 2.2 on Windows Sever 2003 64bit I have tried the install via the setup program as well as copying the files from another server and updating the client.keys file and manually creating the service. I also tried to remove the agent from the server and recreate the key. No matter what I do the agent cannot connect to the server. Is there something I am missing? 2010/04/22 08:54:02 ossec-agent(1905): INFO: No file configured to monitor. 2010/04/22 08:54:02 ossec-execd(1350): INFO: Active response disabled. Exiting. 2010/04/22 08:54:02 ossec-agent(1410): INFO: Reading authentication keys file. 2010/04/22 08:54:02 ossec-agent: INFO: Trying to connect to server (144.122.190.48:1514). 2010/04/22 08:54:02 ossec-agent: Starting syscheckd thread. 2010/04/22 08:54:02 ossec-rootcheck: INFO: Started (pid: 308). 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'. 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'. 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2010/04/22 08:54:02 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/system32'. 2010/04/22 08:54:02 ossec-agent: INFO: Started (pid: 308). 2010/04/22 08:54:13 ossec-agent: WARN: Process locked. Waiting for permission... ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected] “Accomplishing the impossible means only that your boss will add it to your regular duties” Doug Larson This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
