I know this problem doesn't get covered very often on the list, so start here : http://devio.us/~ddp/ossec/docs/faq/unexpected.html#agent-won-t-connect-to-the-manager On Nov 30, 2011 1:05 PM, "Mark C" <[email protected]> wrote:
> How were you able to fix this? I'm getting the same errors on one of my > servers. It's not a firewall issue since I have another server on the same > subnet that works... > > 2011/11/16 19:10:43 ossec-agent: INFO: Started (pid: 3032). > 2011/11/16 19:10:53 ossec-agent: WARN: Process locked. Waiting for > permission... > 2011/11/16 19:11:03 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.128.239.19'. > 2011/11/16 19:11:05 ossec-agent: INFO: Trying to connect to server ( > 10.128.239.19:1514). > 2011/11/16 19:11:05 ossec-agent: INFO: Using IPv4 for: 10.128.239.19 . > 2011/11/16 19:11:26 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.128.239.19'. > 2011/11/16 19:11:46 ossec-agent: INFO: Trying to connect to server ( > 10.128.239.19:1514). > 2011/11/16 19:11:46 ossec-agent: INFO: Using IPv4 for: 10.128.239.19 . > 2011/11/16 19:12:07 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.128.239.19'. > 2011/11/16 19:12:45 ossec-agent: INFO: Trying to connect to server ( > 10.128.239.19:1514). > 2011/11/16 19:12:45 ossec-agent: INFO: Using IPv4 for: 10.128.239.19 . > 2011/11/16 19:13:06 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '10.128.239.19'. > > What does this line mean? > > 2011/11/16 19:10:53 ossec-agent: WARN: Process locked. Waiting for > permission... > > Thanks, > -Mark > > > > Date: Sun, 20 Nov 2011 21:30:55 -0500 > > Subject: Re: [ossec-list] OSSEC Agent is not connecting > > From: [email protected] > > To: [email protected] > > > > For the archives/documentation, how did you fix it? > > > > On Sun, Nov 20, 2011 at 1:53 PM, Joe Arimboor <[email protected]> > wrote: > > > i figured out .. its working fine .. thanks > > > > > > > > > On Fri, Nov 18, 2011 at 12:24 AM, dan (ddp) <[email protected]> wrote: > > >> > > >> On Sun, Nov 13, 2011 at 9:11 AM, Joe <[email protected]> wrote: > > >> > Hi , I am getting the following err msg when an agent try to connect > > >> > to Server (no Firewall in between) > > >> > > > >> > > >> Are you sure the packets are getting to the manager? > > >> Does the manager respond? > > >> Does the manager log anything useful? > > >> Is this agent using a unique key? > > >> > > >> > ========== > > >> > summary logs > > >> > --------------------- > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Started (pid: 2800). > > >> > > > >> > 2011/11/13 18:05:13 ossec-agent: WARN: Process locked. Waiting for > > >> > permission... > > >> > > > >> > 2011/11/13 18:05:24 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > 2011/11/13 18:05:26 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:05:26 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:05:47 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > 2011/11/13 18:06:07 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:06:07 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:06:28 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > 2011/11/13 18:07:06 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:07:06 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:07:27 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > 2011/11/13 18:08:23 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:08:23 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:08:44 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > ========================= > > >> > > > >> > complete logs > > >> > ----------------------- > > >> > > > >> > 2011/11/13 18:05:03 ossec-execd(1350): INFO: Active response > disabled. > > >> > Exiting. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent(1410): INFO: Reading authentication > > >> > keys file. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: No previous counter available > > >> > for 'AV_server'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Assigning counter for agent > > >> > AV_server: '0:0'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Assigning sender counter: > 0:30 > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: Starting syscheckd thread. > > >> > > > >> > 2011/11/13 18:05:03 ossec-rootcheck: INFO: Started (pid: 2800). > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Policies'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Security'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager > > >> > \KnownDLLs'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers > > >> > \winreg'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion > > >> > \RunOnce'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion > > >> > \RunOnceEx'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion > > >> > \Policies'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion > > >> > \Windows'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion > > >> > \Winlogon'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring registry entry: > > >> > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed > > >> > Components'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/win.ini'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/system.ini'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \autoexec.bat'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \config.sys'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \boot.ini'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/CONFIG.NT'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/AUTOEXEC.NT'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/at.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/attrib.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/cacls.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/debug.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/drwatson.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/drwtsn32.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/edlin.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/eventcreate.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/eventtriggers.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/ftp.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/net.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/net1.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/netsh.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/rcp.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/reg.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/regedit.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/regedt32.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/regsvr32.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/rexec.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/rsh.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/runas.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/sc.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/subst.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/telnet.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/tftp.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/tlntsvr.exe'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \WINDOWS/System32/drivers/etc'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Monitoring directory: 'C: > > >> > \Documents and Settings/All Users/Start Menu/Programs/Startup'. > > >> > > > >> > 2011/11/13 18:05:03 ossec-agent: INFO: Started (pid: 2800). > > >> > > > >> > 2011/11/13 18:05:13 ossec-agent: WARN: Process locked. Waiting for > > >> > permission... > > >> > > > >> > 2011/11/13 18:05:24 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > 2011/11/13 18:05:26 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:05:26 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:05:47 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > 2011/11/13 18:06:07 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:06:07 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:06:28 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > 2011/11/13 18:07:06 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:07:06 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:07:27 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > 2011/11/13 18:08:23 ossec-agent: INFO: Trying to connect to server > > >> > (10.10.134.241:1514). > > >> > > > >> > 2011/11/13 18:08:23 ossec-agent: INFO: Using IPv4 for: > 10.10.134.241 . > > >> > > > >> > 2011/11/13 18:08:44 ossec-agent(4101): WARN: Waiting for server > reply > > >> > (not started). Tried: '10.10.134.241'. > > >> > > > >> > > > > > > > >
