On Tue, Aug 21, 2012 at 11:05 AM, Michael Barrett <[email protected]> wrote: > > > we are working on 2.6 > > Here is the issue. > > I have one Windows 2003 agent that can't talk to the server. No firewalls > > > > Windows ossec.log > > 2012/08/21 10:02:06 ossec-agent: INFO: Started (pid: 5392). > > 2012/08/21 10:02:16 ossec-agent: WARN: Process locked. Waiting for > permission... > > 2012/08/21 10:02:27 ossec-agent(4101): WARN: Waiting for server reply (not > started). Tried: '144.122.190.48'. > > 2012/08/21 10:02:29 ossec-agent: INFO: Trying to connect to server > (144.122.190.48:1514). > > 2012/08/21 10:02:31 ossec-agent: Received exit signal. > > 2012/08/21 10:02:31 ossec-agent: Exiting... > > > > > Server > > > > 2012/08/21 10:03:13 ossec-remoted(1403): ERROR: Incorrectly formated > message from '144.122.218.24'. > >
Is this the only agent on this network? Could there be a networking device messing things up in between? Is this the only host having issues? Is the server listening on multiple networks? What does v2.5.1 have to do with this? > > > Config > > > > <!-- OSSEC Win32 Agent Configuration. > - This file is compost of 3 main sections: > - - Client config - Settings to connect to the OSSEC server. > - - Localfile - Files/Event logs to monitor. > - - syscheck - System file/Registry entries to monitor. > --> > > <!-- READ ME FIRST. If you are configuring OSSEC for the first time, > - try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent > - to execute it. > - > - First, add a server-ip entry with the real IP of your server. > - Second, and optionally, change the settings of the files you want > - to monitor. Look at our Manual and FAQ for more information. > - Third, start the Agent and enjoy. > - > - Example of server-ip: > - <client> <server-ip>1.2.3.4</server-ip> </client> > --> > > > <ossec_config> > > <!-- One entry for each file/Event log to monitor. --> > <!-- > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > --> > > <!-- Rootcheck - Policy monitor config --> > <rootcheck> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > </rootcheck> > > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 18 hours. It doesn't need to be higher > - on most systems and one a day should be enough. > --> > <frequency>64800</frequency> > > <!-- By default it is disabled. In the Install you must choose > - to enable it. > --> > <disabled>no</disabled> > > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/system32</directories> > > <!-- Default files to be ignored. --> > <ignore>%WINDIR%/System32/LogFiles</ignore> > <ignore>%WINDIR%/system32/wbem/Logs</ignore> > <ignore>%WINDIR%/system32/config</ignore> > <ignore>%WINDIR%/system32/CatRoot</ignore> > <ignore>%WINDIR%/system32/wbem/Repository</ignore> > <ignore>%WINDIR%/system32/dllcache</ignore> > <ignore>%WINDIR%/system32/inetsrv/History</ignore> > <ignore>%WINDIR%/system32/winevt/Logs</ignore> > <ignore>%WINDIR%/system32/spool</ignore> > <ignore>%WINDIR%/system32/Tasks</ignore> > <ignore > type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > > <!-- Windows registry entries to monitor. --> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > Explorer</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > > <!-- Windows registry entries to ignore. --> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group > Policy\State</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet > Settings\Cache</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\ProfileList</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Prefetcher</registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Schedule\TaskCache</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > Manager</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > </syscheck> > > </ossec_config> > > > <!-- END of Default Configuration. --> > > > <ossec_config> > <client> > <server-ip>144.122.190.48</server-ip> > </client> > </ossec_config> > > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > From: "dan (ddp)" <[email protected]> > To: [email protected] > Date: 08/21/2012 09:58 AM > Subject: Re: [ossec-list] 2.5.1 > Sent by: [email protected] > > ________________________________ > > > > On Tue, Aug 21, 2012 at 10:52 AM, Michael Barrett > <[email protected]> wrote: > > > > Anyone know where I can download version 2.5.1 server? Can only find 2.6 > > on > > the OSSEC site but need the 2.5.1 version. > > ____________________________________________ > > Michael Barrett | Information Security Analyst - Lead | Mortgage > > Guaranty > > Insurance Corporation > > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > > 1.888.601.4440 | * [email protected] > > > > This message is intended for use only by the person(s) addressed above > > and > > may contain privileged and confidential information. Disclosure or use > > of > > this message by any other person is strictly prohibited. If this message > > is > > received in error, please notify the sender immediately and delete this > > message. > > I'd start by looking in 2010. > > 2.6 is the latest version, and we don't encourage using anything older. > >
