Any idea's why the Agent Manager would be showing the process as stopped although it is running? And why it would be telling me there is a config file issue (even though the process is running)?
Tyler Ross -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, December 21, 2010 2:22 PM To: [email protected] Subject: Re: [ossec-list] OSSEC client on Server 2003 (Unable to start OSSEC (check config)). On Tue, Dec 21, 2010 at 2:14 PM, <[email protected]> wrote: > The log is showing everything working to be working correctly now, but it > seems as if it had trouble connecting to the server initially. The server is > a Windows 2008 server. I'm running OSSEC on quite a few other windows hosts. > This is the only time I've experienced any trouble. > > 2010/12/20 18:53:03 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 19:00:53 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). You should check the manager's ossec.log for log messages around these times. It might give you a clue as to what was going wrong. > 2010/12/20 19:01:14 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 19:09:22 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 19:09:43 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 19:18:09 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 19:18:30 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 19:27:14 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 19:27:35 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 19:36:37 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 19:36:58 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 19:46:18 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 19:46:39 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 19:56:17 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 19:56:38 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 20:06:34 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 20:06:55 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 20:17:09 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 20:17:30 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 20:28:02 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 20:28:23 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.xxx'. > 2010/12/20 20:39:13 ossec-agent: INFO: Trying to connect to server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 20:39:23 ossec-agent(4102): INFO: Connected to the server > (xxx.xxx.xxx.xxx:1514). > 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: 'Security'. > 2010/12/20 20:39:23 ossec-agent(1951): INFO: Analyzing event log: 'System'. > 2010/12/20 20:39:23 ossec-agent: INFO: Started (pid: 2644). > 2010/12/20 20:39:24 ossec-agent: INFO: Lock free. Continuing... > 2010/12/20 20:40:14 ossec-agent: INFO: Starting syscheck scan (forwarding > database). > 2010/12/20 20:40:14 ossec-agent: INFO: Starting syscheck database (pre-scan). > 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: > 'C:\boot.ini': No such file or directory > 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/CONFIG.NT': No such file or directory > 2010/12/20 20:40:14 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory > 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/debug.exe': No such file or directory > 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwatson.exe': No such file or directory > 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwtsn32.exe': No such file or directory > 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/edlin.exe': No such file or directory > 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/eventtriggers.exe': No such file or directory > 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rcp.exe': No such file or directory > 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rexec.exe': No such file or directory > 2010/12/20 20:40:15 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rsh.exe': No such file or directory > 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/telnet.exe': No such file or directory > 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tftp.exe': No such file or directory > 2010/12/20 20:40:17 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tlntsvr.exe': No such file or directory > 2010/12/20 20:40:17 ossec-agent: INFO: Finished creating syscheck database > (pre-scan completed). > 2010/12/20 20:40:27 ossec-agent: INFO: Ending syscheck scan (forwarding > database). > 2010/12/20 20:40:47 ossec-agent: INFO: Starting rootcheck scan. > 2010/12/20 20:40:52 ossec-agent: INFO: Ending rootcheck scan. > > > > > > > Tyler Ross > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, December 21, 2010 1:56 PM > To: [email protected] > Subject: Re: [ossec-list] OSSEC client on Server 2003 (Unable to start OSSEC > (check config)). > > On Tue, Dec 21, 2010 at 1:42 PM, <[email protected]> wrote: >> I'm running into issues installing the OSSEC 2.5.1 client on a windows 2008 >> R2 server. After repeated un-installation and reinstallation I am unable to >> start the OSSEC client from the OSSEC Agent Manager, receiving an "Unable to >> start OSSEC (check config)." Error code. >> >> >> >> My initial installation worked correctly, and I changed the OSSEC config >> file to monitor log files in a specific directory. I mistyped the entry >> which, in turn, caused the error mentioned above. After correcting the >> config file I still received this error message when starting the agent >> process. So, I decided to uninstall and re-install. I then uninstalled, >> deleted the parent directory, and re-installed a number of times. I've >> deleted and re-created the agent in the server a number of times, and I am >> still receiving the error message every time I attempt to start the process >> from the OSSEC Agent Manager. >> >> >> >> Now here's where things get odd. I found the OSSEC Hids process to be >> running on the server. However, the Agent Manager lists it as "Stopped". >> The server shows the agent as "active" as well. >> >> >> >> Any help with this issue is very much appreciated. Thank you! >> >> >> >> >> >> >> >> >> >> >> >> Tyler Ross >> >> > > 2003 or 2008? > Are there any useful entries in the ossec.log on the agent? > Are the ossec processes seen in the services configuration for the > system (I don't do much with the Windows agent, so I don't have any > clue if they should)? >
