Hi anderscooter, On Fri, Jan 14, 2011 at 11:16 AM, anderscooter <[email protected]> wrote: > We are connecting to the server, but get these message 'Unable to send > message to server". I enabled debugging but I cannot seem to find a > reason for the messages. This is only happening on a couple servers > and cannot find any commonality among the affected machines. >
Try checking the ossec.log on the manager, to see if there are any helpful messages there. Also, make sure all agents have a unique IP in manage_agents (or are using a CIDR, that doesn't have to be unique). > 2011/01/14 09:02:50 ossec-agent(4102): INFO: Connected to the server > (xx.xxx.xxx.xxx:1514). > 2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > 2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log: > 'Security'. > 2011/01/14 09:02:53 ossec-agent(1951): INFO: Analyzing event log: > 'System'. > 2011/01/14 09:02:53 ossec-agent: INFO: Started (pid: 2508). > 2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck scan > (forwarding database). > 2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck database (pre- > scan). > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \boot.ini': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/CONFIG.NT': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/AUTOEXEC.NT': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/debug.exe': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/drwatson.exe': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/drwtsn32.exe': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/edlin.exe': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/eventtriggers.exe': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/rcp.exe': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/rexec.exe': No such file or directory > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/rsh.exe': No such file or directory > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/telnet.exe': No such file or directory > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/tftp.exe': No such file or directory > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: > \Windows/System32/tlntsvr.exe': No such file or directory > 2011/01/14 09:03:51 ossec-agent: INFO: Finished creating syscheck > database (pre-scan completed). > 2011/01/14 09:04:01 ossec-agent: INFO: Ending syscheck scan > (forwarding database). > 2011/01/14 09:04:21 ossec-agent: INFO: Starting rootcheck scan. > 2011/01/14 09:04:26 ossec-agent: INFO: Ending rootcheck scan. > 2011/01/14 09:06:29 ossec-agent(1218): ERROR: Unable to send message > to server. > 2011/01/14 09:15:12 ossec-agent: INFO: Event count after '20000': > 17316711->10266128 (59%) > 2011/01/14 09:28:17 ossec-agent: INFO: Event count after '20000': > 17313995->10316576 (59%) > 2011/01/14 09:36:07 ossec-agent(1218): ERROR: Unable to send message > to server. > 2011/01/14 09:41:54 ossec-agent: INFO: Event count after '20000': > 17270398->10257672 (59%) > 2011/01/14 09:48:51 ossec-agent(1218): ERROR: Unable to send message > to server. > 2011/01/14 09:53:55 ossec-agent(1218): ERROR: Unable to send message > to server. > 2011/01/14 09:54:08 ossec-agent: INFO: Event count after '20000': > 17289252->10263464 (59%) > 2011/01/14 10:01:19 ossec-agent(1218): ERROR: Unable to send message > to server. > 2011/01/14 10:09:22 ossec-agent: INFO: Event count after '20000': > 17223575->10223496 (59%) > >
