Hi Kumar,

The moving error is not usual, the return code 5 refers to an access 
denegation. So try to stop the agent, delete the file "C:\Program Files 
(x86)\ossec-agent\bookmarks\Security" and re-start the agent.

Regarding the 2nd problem seems to be a connection problem between the 
agent and the manager. Since the agent "locks" the communication socket, no 
other component can send its message and then it prints that error. Please 
review the manager IP address and look at the manager's log for any error 
referred to the Windows agent.

Hope it helps.
Best regards.

Victor.


On Thursday, September 15, 2016 at 8:32:20 PM UTC+2, Kumar G wrote:
>
> Hi Jesus, 
>
> Apologize for the late reply. Was away from the OSSEC for a while. 
>
> The configuration for eventlog ID was implemented however, I started 
> getting some of the new message in ossec logs on the agent box. Do you 
> think if these are normal?
>
>
> 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 
> 'Application'.
> 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 
> 'Security'.
> 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 
> 'Security'.
> 2016/09/06 07:04:43 ossec-agent(1951): INFO: Analyzing event log: 'System'.
> 2016/09/06 07:04:43 ossec-agent: INFO: Started (pid: 3572).
> 2016/09/06 07:04:45 ossec-agent: INFO: Lock free. Continuing...
> 2016/09/06 07:04:59 ossec-agent: ERROR: Could not move 
> (tmp/Security-a11968) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:04:59 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a11968) to (bookmarks/Security) for (Security)
> 2016/09/06 07:05:01 ossec-agent: ERROR: Could not move 
> (tmp/Security-a20532) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:05:01 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
> 2016/09/06 07:05:21 ossec-agent: ERROR: Could not move 
> (tmp/Security-a14540) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:05:21 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security)
> 2016/09/06 07:05:35 ossec-agent: INFO: Starting syscheck scan (forwarding 
> database).
> 2016/09/06 07:05:35 ossec-agent: INFO: Starting syscheck database 
> (pre-scan).
> 2016/09/06 07:05:37 ossec-agent: INFO: Initializing real time file 
> monitoring (not started).
> 2016/09/06 07:05:37 ossec-agent: INFO: Real time file monitoring started.
> 2016/09/06 07:05:37 ossec-agent: INFO: Finished creating syscheck database 
> (pre-scan completed).
> 2016/09/06 07:05:47 ossec-agent: INFO: Ending syscheck scan (forwarding 
> database).
> 2016/09/06 07:05:59 ossec-agent: ERROR: Could not move 
> (tmp/Security-a20532) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:05:59 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
> 2016/09/06 07:05:59 ossec-agent: ERROR: Could not move 
> (tmp/Security-a14540) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:05:59 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security)
> 2016/09/06 07:06:07 ossec-agent: ERROR: Could not move 
> (tmp/Security-a14540) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:06:07 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a14540) to (bookmarks/Security) for (Security)
> 2016/09/06 07:06:37 ossec-agent: ERROR: Could not move 
> (tmp/Security-a20532) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:06:37 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
> 2016/09/06 07:06:55 ossec-agent: ERROR: Could not move 
> (tmp/Security-a20532) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:06:55 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
> 2016/09/06 07:07:15 ossec-agent: ERROR: Could not move 
> (tmp/Security-a20532) to (bookmarks/Security) which returned (5)
> 2016/09/06 07:07:15 ossec-agent: ERROR: Could not rename_ex() temporary 
> bookmark (tmp/Security-a20532) to (bookmarks/Security) for (Security)
> 2016/09/06 07:07:27 ossec-agent: ERROR: Could not move 
> (tmp/Security-a20532) to (bookmarks/Security) which returned (5)
>
>
> This is another set of logs I see in the ossec.log file. "Error waiting 
> mutex (timeout)"
> 2016/09/06 11:51:46 ossec-agent: INFO: Trying to connect to server 
> (XX.XX.XX.XX:XXXX).
> 2016/09/06 11:51:46 ossec-agent: INFO: Using IPv4 for: XX.XX.XX.XX .
> 2016/09/06 11:52:48 ossec-agent: Error waiting mutex (timeout).
> 2016/09/06 11:55:03 ossec-agent: Error waiting mutex (timeout).
> 2016/09/06 11:56:35 ossec-agent: Error waiting mutex (timeout).
> 2016/09/06 11:57:03 ossec-agent(1114): ERROR: Unable to select().
>
> Regards
> Kumar
>
> On 22 August 2016 at 14:20, Jesus Linares <je...@wazuh.com <javascript:>> 
> wrote:
>
>> Hi Kumar,
>>
>> I think you can use other operators in the query (=, !=, <, >), so it 
>> could be useful for you to define an interval:
>> <query>Event/System[EventID>xxxx and EventID<yyyy]</query>
>>
>> Anyway, I don't think that a query with "35 EventID" affects the 
>> performance, but I have never tried it.
>>
>> Also, you must define the *<localfile> setting* in the ossec.conf of 
>> each agent or use */var/ossec/shared/agent.conf* in case you want to 
>> configure your agents from the manager. This way, only the events that you 
>> need will be sent to the Manager.
>>
>> Regards.
>>
>>
>> On Friday, August 19, 2016 at 11:40:42 PM UTC+2, Kumar G wrote:
>>>
>>> Hi Team, 
>>>
>>>
>>> Need your help on this. 
>>>
>>> We have a couple of Windows Active Directory machines on which we need 
>>> to enable the event logs for Application/System/Security. There are more 
>>> than a million events which are expected from these eventlogs. Was looking 
>>> in old posts and clould see utilizing the eventchannel log format and 
>>> querying the EventID.
>>>
>>>
>>> <localfile>
>>>   <location>Security</location>
>>>   <log_format>eventchannel</log_format>
>>>   <query>Event/System[EventID=5140 or EventID=5144]</query>
>>> </localfile>
>>>
>>> We have about 35 event ids which need to be monitored per log. Is it 
>>> advisable to query all the 35 eventid using eventchannel query method? Will 
>>> this method impact the system performance. Is there any alternative to 
>>> limit the events at agent level. By doing this we can stop the unnecessary 
>>> events being processed by OSSEC.
>>>
>>>
>>> Thanks 
>>> Kumar
>>>
>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to