Hi, Your configuration is working properly on my environment, what Windows version are you running?
EventChannel Bookmark <https://msdn.microsoft.com/es-es/library/windows/desktop/bb427418(v=vs.85).aspx> identifies an event in a channel or log file, bookmarks are created by OSSEC in order to subscribe to a event list. I can see on my lab how the bookmark is created first on tmp/ folder and then it is moved to bookmarks/ folder. Tracing your errors, first one prompts when OSSEC try to rename the bookmark tmp file, function *rename_ex *(1 <https://github.com/wazuh/ossec-wazuh/blob/ab9f716128ab4d1df58fd3c9d0e0bf9fd5cf7150/src/shared/file_op.c#L858> & 2 <https://github.com/wazuh/ossec-wazuh/blob/5441889d963ce6d8ee3fae0e9f273e701b6c89eb/src/logcollector/read_win_event_channel.c#L575>), second error <https://github.com/wazuh/ossec-wazuh/blob/5441889d963ce6d8ee3fae0e9f273e701b6c89eb/src/logcollector/read_win_event_channel.c#L577> is a consequence of the first error. I can assume the file not longer exist on that folder or OSSEC does not have enough permissions to move/rename it, try to run *uninstall.exe *and start from scratch installing again OSSEC, if does not work, try to grant permissions to group "Administrators". Best regards, Pedro S. On Monday, May 16, 2016 at 2:07:57 PM UTC+2, Abdulvehhab Agin wrote: > > Hi Pedro, > > > My ossec.conf and internal_options.conf is attached. > > > I set remoted.verify_msg_id=0 to ignore Duplicated error > > > 13 Mayıs 2016 Cuma 19:57:57 UTC+3 tarihinde Pedro S yazdı: >> >> Just to be sure, the variable I was talking about is: >> >> # Verify msg id (set to 0 to disable it) >>> remoted.verify_msg_id=1 >> >> >> At /var/ossec/etc/internal_options.conf >> >> >> Best regards, >> >> Pedro S. >> >> >> On Friday, May 13, 2016 at 3:53:20 PM UTC+2, Pedro S wrote: >>> >>> Hi, >>> >>> I don't think *verify_msg *will be related with those errors. >>> >>> It seems like those files (EventChannel bookmarks) not longer exist in >>> tmp folder or OSSEC does not have enough permissions, try to reinstall the >>> agent. >>> If you prefer, paste here your EventChannel queries so I can test them >>> in my labs. >>> >>> Best regards, >>> >>> Pedro S. >>> >>> >>> >>> On Fri, May 13, 2016 at 1:37 PM, Abdulvehhab Agin <[email protected]> >>> wrote: >>> >>>> When i change verify_msg_id=0; *i have lots of error in ossec log* >>>> >>>> >>>> >>>> >>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move >>>> (tmp/Security-a06404) to (bookmarks/Security) which returned (5) >>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary >>>> bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security) >>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move >>>> (tmp/Security-a06404) to (bookmarks/Security) which returned (5) >>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary >>>> bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security) >>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move >>>> (tmp/Security-a06404) to (bookmarks/Security) which returned (5) >>>> 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary >>>> bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security) >>>> >>>> >>>> >>>> 12 Mayıs 2016 Perşembe 10:37:15 UTC+3 tarihinde Pedro S yazdı: >>>>> >>>>> Hi, >>>>> >>>>> If multiple agents are using the same key, you need to set them >>>>> up with their own unique key. >>>>> If you re-installed an agent and didn't backup the rids files, >>>>> you should create a new key for the agent and use that. >>>>> If you prefer to avoid any counters error, try to deactivate counters, >>>>> open file etc/internal_options.conf (Manager & Agent) and set >>>>> verify_msg_id=0. >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> Pedro S. >>>>> >>>>> On Wednesday, May 11, 2016 at 10:33:00 PM UTC+2, Abdulvehhab Agin >>>>> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> >>>>>> Sometimes ossec server says *"ERROR: Duplicated counter for"* >>>>>> errors. Especially we have mass log, and log sending protocol is UDP, so >>>>>> rids counter' agent and server sometimes inconsistent; >>>>>> >>>>>> >>>>>> When i see this error, I see the agent is inactive. After this; agent >>>>>> wont send any logs. >>>>>> >>>>>> >>>>>> How can i solve this problem? >>>>>> >>>>>> >>>>>> OSSEC version 2.8.3 >>>>>> >>>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
