Hi, I hope this is a simple "yes that's how it's supposed to be" answer.
I have had OSSEC 2.6 running on about 9 PCs for over a year, that auto-reboot every night. Every time I reboot, and services start, i get notice of services that were blocked by windows firewall. Recently, I noticed that on a few days this year, windows firewall blocked various UDP ports that "P:\Program Files\ossec-agent\ossec-agent.exe" was trying to listen to, based on the windows security logs, as it does for any service that starts up that listening but not allowed to in the firewall rules, and logs that it was blocked in the windows firewall rules. It happened 39 times in May on 3 different days, (not on reboot), 1 in august (upon reboot) and 1 event on Dec 6 (upon reboot) and 20 events on the night of the 7th, (not upon reboot, but I think the OSSEC server went down around that time) This was on about 4 out of 9 machines, all nearly identical. The first day was in may 1, and it seemed to have multiple events all on one PC. The second was on the 3rd on two more PC, 1 event each. Then finally may 28th, on all of the PCs that I've seen this on. I give all this detail, just to illustrate how sort of random it seems. My main question is, should ossec-agent.exe cause this event to ever occur? If so, why so sporadically? If not, well, any other thoughts?
