can this be changed to use TCP instead of UDP? i have the same issue but i dont think changing the default buffer size is a good idea
On Monday, 10 July 2017 12:34:48 UTC+1, Victor Fernandez wrote: > > Hi Ricardo, > > in this case it's probable that the Windows agent is dropping UDP packages > from the manager due to overflow. The default UDP buffer size in Linux > is 212992 (208 KiB) but I think that in Windows it is only 8 KiB. OSSEC > resizes the buffer to 6 KiB (the maximum message length) when the default > size is less than 6 KiB. > > File ar.conf comes in the merged.mg. Try to send a very little shared > file (remove every file in the manager's /var/ossec/etc/shared except > ar.conf), restart the manager and then restart the agent. > > You may also try to increase the network buffer size in Windows. This may > help you: http://smallvoid.com/article/winnt-winsock-buffer.html. > > Best regards. > > On Fri, Jul 7, 2017 at 10:08 AM, Ricardo Galossi <[email protected] > <javascript:>> wrote: > >> Hi Victor, >> >> Thanks for your reply. I did everything you told me, but the error >> persist. I continuous receiving many logs as below: >> >> ossec-agentd: Failed md5 for: shared/merged.mg -- deleting. >> >> A new thing that I realized is that the file ar.conf is not present in >> windows agent installation directory too, I tried to restart the agent >> remotely and saw it. After I enable debug on the windows agent I was able >> to see this log: >> >> ossec-agent: DEBUG: Sending keep alive: #!-Microsoft Windows Server 2012 >> Datacenter Edition (full) (Build 9200) - OSSEC HIDS v2.9.0 / >> e204e0200d4f36c5c80b071e2e1ef79b >> x merged.mg >> >> The point is, this checksum is not the same of agent.conf or merged.mg >> on ossec server. I kinda gave up about this and tried to do everything >> manually, I created agent.conf in blank within C:\Program Files >> (x86)\ossec-agent\shared directory and restart the agent, in the log file >> the error (ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File >> 'shared/agent.conf' not found) isn't being shown anymore, but the >> agent.conf doesn't synchronize, it remains in blank. >> >> I don't know what to do anymore, reinstalled the agent and the server, >> tried in different windows installations and tried with ossec 2.8.3, but >> the problem remains. The funny point is that it only happens on Windows >> agents, on Linux agents everything works perfectly. >> >> If I copy the content of agent.conf from the server to the windows agent, >> everything works. But I don't know if it can bring me some problem in the >> future. >> >> Em segunda-feira, 3 de julho de 2017 11:39:52 UTC-3, Victor Fernandez >> escreveu: >>> >>> Hi, >>> >>> it is strange that the log indicates line 147 when it was not able to >>> read it. Maybe the agent.conf file is not arriving to the agent or it is >>> being discarded due to a checksum error. >>> >>> First, please remove file *merged.mg <http://merged.mg>* from folder >>> *shared* in the agent and the manager. Then enable debugging log in >>> order to know where the problem is. >>> >>> - On the manager: >>> >>> /var/ossec/bin/ossec-control enable debug >>> /var/ossec/bin/ossec-control restart >>> >>> >>> >>> - On the agent, add this line to file *local_internal_options.conf*: >>> >>> windows.debug=1 >>> >>> >>> and restart the agent. When it gets connected, the manager should log a >>> message like: >>> >>> ossec-remoted: Sending file 'merged.mg' to agent. >>> >>> >>> and that file should appear immediately in the agent (folder *shared*). >>> After few seconds, when the file is completely delivered, it should be >>> unmerged into every file that exists in the manager's shared folder. >>> >>> A common issue is that the file doesn't arrive properly (e.g. some >>> packets were lost or corrupted) the file *merged.mg <http://merged.mg>* >>> will >>> disappear suddenly and the Windows agent should log: >>> >>> ossec-agent: Failed md5 for: merged.mg -- deleting. >>> >>> >>> In this case, the manager will retry to send the file every 10 minutes. >>> >>> But as I mentioned before, an error message about reading file that >>> indicates a line different from 0 has no sense. However I hope this help >>> you. >>> >>> Best regards. >>> >>> >>> >>> On Mon, Jul 3, 2017 at 11:44 AM, Jesus Linares <[email protected]> wrote: >>> >>>> Hi >>>> >>>> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': >>>>> XMLERR: File 'shared/agent.conf' not found. (line 147). >>>> >>>> >>>> what is in the line 147?. >>>> >>>> More information about the agent.conf and the process to synchronize >>>> it: >>>> https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html >>>> >>>> >>>> I hope it helps. >>>> Regards. >>>> >>>> On Sunday, July 2, 2017 at 3:30:07 AM UTC+2, Ricardo Galossi wrote: >>>>> >>>>> Hi guys, >>>>> >>>>> I'd like to ask for some help here.. >>>>> >>>>> My windows agents are not synchronizing shared/agent.conf, >>>>> within C:\Program Files (x86)\ossec-agent\shared direrectory there is no >>>>> agent.conf even after restarting windows agent. Follow my agent.cong >>>>> below: >>>>> >>>>> <agent_config> >>>>> <syscheck> >>>>> <directories realtime="yes" >>>>> check_all="yes">C:\labtest</directories> >>>>> </syscheck> >>>>> </agent_config> >>>>> >>>>> In the agent log file I receive the following message: >>>>> >>>>> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': >>>>> XMLERR: File 'shared/agent.conf' not found. (line 147). >>>>> >>>>> If I create the file agent.conf manually the configuration works (what >>>>> proof that the configuration is ok), but also doesn't synchronize if i >>>>> try >>>>> to change it. >>>>> >>>>> Am I making some mistake? Please, help me!! >>>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Victor M. Fernandez-Castro >>> IT Security Engineer >>> Wazuh Inc. >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Victor M. Fernandez-Castro > IT Security Engineer > Wazuh Inc. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
