[ossec-list] Re: Continuous Chatter from Windows Agent

Thu, 17 Apr 2014 11:50:35 -0700 

Thanks Michael. 

I enabled 

  <global>

    <logall>yes</logall>
  </global>




After I disabled "Audit object access / Success" events the chatter 
diminished and I am now only seeing traffic every 7 minutes which must be 
the keepalives.

Is there a way to display raw events on the OSSEC server side?

On Wednesday, April 16, 2014 10:07:19 AM UTC-4, Joe60 wrote:
>
> Hello,
>
> I am trying to assess how much bandwidth is consumed between a Windows 
> agent and the OSSEC server under normal operating conditions.
>
> I am seeing continuous chatter from a Windows agent to the OSSEC server on 
> UDP port 1514 every 4 seconds.
>
> 09:28:53.357655 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:28:53.357665 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:28:53.357706 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:28:53.357903 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:28:57.382126 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:28:57.382319 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 401
> 09:28:57.382502 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:28:57.382692 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:29:01.406947 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:29:01.407135 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 345
> 09:29:01.407310 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 393
> 09:29:01.407494 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 393
> 09:29:01.407673 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 393
> 09:29:01.407853 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 385
> 09:29:01.408046 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:29:01.408227 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 393
> 09:29:01.408401 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 393
> 09:29:01.408577 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 385
> 09:29:01.408753 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 393
> 09:29:01.408925 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 345
> 09:29:01.409118 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:29:01.409289 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 345
> 09:29:05.431749 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:29:05.431937 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:29:05.432146 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 409
> 09:29:05.432332 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, 
> length 401
>
> The client log states that it is sending keepalive messages about every 
> 6-7 minutes but nothing else.
>
> 2014/04/16 08:50:49 ossec-agent Sending keep alive message....
> 2014/04/16 08:57:32 ossec-agent Sending keep alive message....
> 2014/04/16 09:04:15 ossec-agent Sending keep alive message....
> 2014/04/16 09:10:58 ossec-agent Sending keep alive message....
> 2014/04/16 09:17:40 ossec-agent Sending keep alive message....
> 2014/04/16 09:24:23 ossec-agent Sending keep alive message....
> 2014/04/16 09:31:05 ossec-agent Sending keep alive message....
> 2014/04/16 09:37:48 ossec-agent Sending keep alive message....
> 2014/04/16 09:44:30 ossec-agent Sending keep alive message....
> 2014/04/16 09:51:13 ossec-agent Sending keep alive message....
> 2014/04/16 09:57:55 ossec-agent Sending keep alive message....
>
> I enabled debug level 2 for all cases on the server but not seeing 
> anything more recorded in ossec.log.
>
> Can anybody shed some light on what this chatter is all about?
>
> Thanks.
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to