Hi Jason, On Fri, Jan 7, 2011 at 8:51 AM, Youngquist, Jason R. <[email protected]> wrote: > Last weekend I installed OSSEC on a number of servers. On one Windows server > OSSEC will run for awhile, and then it will stop. I went into the server and > re-started OSSEC, and it ran for awhile and then stopped again. > > Here's a snippet from the OSSEC log file from the machine. > > > 2011/01/04 13:31:21 ossec-agent(1950): INFO: Analyzing file: > 'C:\WINNT\System32\LogFiles\W3SVC31\ex110104.log'. > 2011/01/04 13:31:21 ossec-agent: INFO: Started (pid: 3500). > 2011/01/04 13:32:41 ossec-agent: INFO: Starting rootcheck scan. > 2011/01/04 13:32:47 ossec-agent: INFO: Ending rootcheck scan. > 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file: > 'C:\WINNT\System32\LogFiles\W3SVC20\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file > 'C:\WINNT\System32\LogFiles\W3SVC20\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file: > 'C:\WINNT\System32\LogFiles\W3SVC30\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file > 'C:\WINNT\System32\LogFiles\W3SVC30\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file: > 'C:\WINNT\System32\LogFiles\W3SVC31\ex110105.log'. > 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file > 'C:\WINNT\System32\LogFiles\W3SVC31\ex110105.log'. > 2011/01/05 09:32:51 ossec-agent: INFO: Starting rootcheck scan. > 2011/01/05 09:32:57 ossec-agent: INFO: Ending rootcheck scan. > 2011/01/05 09:32:57 ossec-agent(1105): ERROR: Attempted to use null string. >
This sounds familiar for some reason, it might have come up in the past. Please try the latest snapshot to see if it continues to have this issue. http://www.ossec.net/files/snapshots/ > This machine is a webserver and the log files referenced above are weblogs > which can get pretty big. > > It looks like on " 2011 Jan 05 10:04:57" I received an alert from OSSEC that > the OSSEC agent installed on the server was disconnected > > > I did some googling for '"Attempted to use null string" ossec' and didn't > have much luck. Thoughts on what the issue might be? > > Thanks. > Jason Youngquist > Information Technology Security Engineer > Technology Services > Columbia College > 1001 Rogers Street, Columbia, MO 65216 > (573) 875-7334 > [email protected] > http://www.ccis.edu > > >
