It sounds like an issue in syscheck somewhere. If you turn syscheck off temporarily, does the problem go away? Also, you might look for exceedingly long <directories> entries, or entries for directories that don't actually exist.
Syscheck on Windows can also have issues if you don't have at least one valid registry key defined for monitoring. On Fri, Jan 7, 2011 at 8:51 AM, Youngquist, Jason R. <[email protected]>wrote: > Last weekend I installed OSSEC on a number of servers. On one Windows > server OSSEC will run for awhile, and then it will stop. I went into the > server and re-started OSSEC, and it ran for awhile and then stopped again. > > Here's a snippet from the OSSEC log file from the machine. > > > 2011/01/04 13:31:21 ossec-agent(1950): INFO: Analyzing file: > 'C:\WINNT\System32\LogFiles\W3SVC31\ex110104.log'. > 2011/01/04 13:31:21 ossec-agent: INFO: Started (pid: 3500). > 2011/01/04 13:32:41 ossec-agent: INFO: Starting rootcheck scan. > 2011/01/04 13:32:47 ossec-agent: INFO: Ending rootcheck scan. > 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file: > 'C:\WINNT\System32\LogFiles\W3SVC20\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file > 'C:\WINNT\System32\LogFiles\W3SVC20\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file: > 'C:\WINNT\System32\LogFiles\W3SVC30\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file > 'C:\WINNT\System32\LogFiles\W3SVC30\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file: > 'C:\WINNT\System32\LogFiles\W3SVC31\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file > 'C:\WINNT\System32\LogFiles\W3SVC31\ex110105.log'. > 2011/01/05 09:32:51 ossec-agent: INFO: Starting rootcheck scan. > 2011/01/05 09:32:57 ossec-agent: INFO: Ending rootcheck scan. > 2011/01/05 09:32:57 ossec-agent(1105): ERROR: Attempted to use null string. > > This machine is a webserver and the log files referenced above are weblogs > which can get pretty big. > > It looks like on " 2011 Jan 05 10:04:57" I received an alert from OSSEC > that the OSSEC agent installed on the server was disconnected > > > I did some googling for '"Attempted to use null string" ossec' and didn't > have much luck. Thoughts on what the issue might be? > > Thanks. > Jason Youngquist > Information Technology Security Engineer > Technology Services > Columbia College > 1001 Rogers Street, Columbia, MO 65216 > (573) 875-7334 > [email protected] > http://www.ccis.edu > >
