It looks like the problem at remote sites with large security logs and every so often one of the message updates fail. We really don't need to monitor the Windows Event logs. Is the only way to do this in the Windows Agent config or can this be done at the OSSEC server level.
On Jan 14, 2:10 pm, anderscooter <[email protected]> wrote: > Yes the IP address is unique. I will have to get with the Unix team to > see if they can enable debugging on the server. They did look at the > logs with out debugging on and didn't see anything out of the > ordinary. > > And on high level debugging on the Windows Agent it will says things > like this over and over again with the same "Audit Success IDs" and it > looks like its all the WinEvtLogs. > > 2011/01/14 14:03:17 ossec-agent: DEBUG: Attempting to send message to > server. > 2011/01/14 14:03:17 ossec-agent: DEBUG: Sending message to server: > 'WinEvtLog: Security: AUDIT_SUCCESS(5145) > > On Jan 14, 11:26 am, "dan (ddp)" <[email protected]> wrote: > > > > > Hi anderscooter, > > > On Fri, Jan 14, 2011 at 11:16 AM, anderscooter <[email protected]> > > wrote: > > > We are connecting to the server, but get these message 'Unable to send > > > message to server". I enabled debugging but I cannot seem to find a > > > reason for the messages. This is only happening on a couple servers > > > and cannot find any commonality among the affected machines. > > > Try checking the ossec.log on the manager, to see if there are any > > helpful messages there. > > Also, make sure all agents have a unique IP in manage_agents (or are > > using a CIDR, that doesn't have to be unique). > > > > 2011/01/14 09:02:50 ossec-agent(4102): INFO: Connected to the server > > > (xx.xxx.xxx.xxx:1514). > > > 2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log: > > > 'Application'. > > > 2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log: > > > 'Security'. > > > 2011/01/14 09:02:53 ossec-agent(1951): INFO: Analyzing event log: > > > 'System'. > > > 2011/01/14 09:02:53 ossec-agent: INFO: Started (pid: 2508). > > > 2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck scan > > > (forwarding database). > > > 2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck database (pre- > > > scan). > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \boot.ini': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/CONFIG.NT': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/AUTOEXEC.NT': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/debug.exe': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/drwatson.exe': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/drwtsn32.exe': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/edlin.exe': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/eventtriggers.exe': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/rcp.exe': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/rexec.exe': No such file or directory > > > 2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/rsh.exe': No such file or directory > > > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/telnet.exe': No such file or directory > > > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/tftp.exe': No such file or directory > > > 2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C: > > > \Windows/System32/tlntsvr.exe': No such file or directory > > > 2011/01/14 09:03:51 ossec-agent: INFO: Finished creating syscheck > > > database (pre-scan completed). > > > 2011/01/14 09:04:01 ossec-agent: INFO: Ending syscheck scan > > > (forwarding database). > > > 2011/01/14 09:04:21 ossec-agent: INFO: Starting rootcheck scan. > > > 2011/01/14 09:04:26 ossec-agent: INFO: Ending rootcheck scan. > > > 2011/01/14 09:06:29 ossec-agent(1218): ERROR: Unable to send message > > > to server. > > > 2011/01/14 09:15:12 ossec-agent: INFO: Event count after '20000': > > > 17316711->10266128 (59%) > > > 2011/01/14 09:28:17 ossec-agent: INFO: Event count after '20000': > > > 17313995->10316576 (59%) > > > 2011/01/14 09:36:07 ossec-agent(1218): ERROR: Unable to send message > > > to server. > > > 2011/01/14 09:41:54 ossec-agent: INFO: Event count after '20000': > > > 17270398->10257672 (59%) > > > 2011/01/14 09:48:51 ossec-agent(1218): ERROR: Unable to send message > > > to server. > > > 2011/01/14 09:53:55 ossec-agent(1218): ERROR: Unable to send message > > > to server. > > > 2011/01/14 09:54:08 ossec-agent: INFO: Event count after '20000': > > > 17289252->10263464 (59%) > > > 2011/01/14 10:01:19 ossec-agent(1218): ERROR: Unable to send message > > > to server. > > > 2011/01/14 10:09:22 ossec-agent: INFO: Event count after '20000': > > > 17223575->10223496 (59%)- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
