On Tue, Aug 3, 2010 at 7:14 PM, Mike Smith <[email protected]> wrote: > Hello, > > How does this log file look, I'm getting the No Agent Available. > > I do not have any firewall configured on the windows side. > > 2010/08/03 16:29:55 ossec-agent(1410): Reading authentication keys file. > 2010/08/03 16:29:55 ossec-agent: Connecting to server (192.168.88.129:1514). > 2010/08/03 16:29:55 ossec-agent: Starting syscheckd thread. > 2010/08/03 16:29:55 ossec-rootcheck: Started (pid: 1852). > 2010/08/03 16:29:55 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > 2010/08/03 16:29:55 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion'. > 2010/08/03 16:29:55 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion'. > 2010/08/03 16:29:55 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. > 2010/08/03 16:29:55 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes'. > 2010/08/03 16:29:55 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. > 2010/08/03 16:29:55 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > 2010/08/03 16:29:55 ossec-agent: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > 2010/08/03 16:29:55 ossec-agent: Monitoring directory: 'C:\WINDOWS/system32'. > 2010/08/03 16:29:55 ossec-agent: Started (pid: 1852). > 2010/08/03 16:30:10 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:30:26 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:30:57 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:31:43 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:32:44 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:34:00 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:34:04 ossec-agent: Server unavailable. Setting lock. > 2010/08/03 16:35:31 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:37:17 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:39:18 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:41:34 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:44:05 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:46:51 ossec-agent(4101): Waiting for server reply (not started). > 2010/08/03 16:50:47 ossec-agent(1410): Reading authentication keys file. > 2010/08/03 16:50:47 ossec-agent: No previous counter available for 'Tester01'. > 2010/08/03 16:50:47 ossec-agent: Assigning counter for agent Tester01: '0:0'. > 2010/08/03 16:50:47 ossec-agent: Assigning sender counter: 0:69
Make sure the IP of the agent is unique. Each IP can only be used once in manage_agents. Does the agent have multiple IPs? Does the agent have a static IP? Are there any interesting logs on the server side at about the same time as the disconnects? Have you tried deleting the agent using manage_agents, and readding it?
