Even for a 2.9.2 agent, the shared agent.conf file is not pushed. Here is part of its log file: 2018/01/21 02:02:06 INFO: Connected to 10.0.1.11 at address 10.0.1.11:1514, port 1514 2018/01/21 02:02:06 ossec-agent: Starting syscheckd thread. 2018/01/21 02:02:06 ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File 'shared/agent.conf' not found. (line 29). 2018/01/21 02:02:06 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor. 2018/01/21 02:02:06 ossec-syscheckd: WARN: Syscheck disabled. 2018/01/21 02:02:06 ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File 'shared/agent.conf' not found. (line 29). 2018/01/21 02:02:06 ossec-rootcheck: INFO: Started (pid: 1968). 2018/01/21 02:02:06 ossec-syscheckd: INFO: Started (pid: 1968). 2018/01/21 02:02:16 ossec-agent: WARN: Process locked. Waiting for permission... 2018/01/21 02:02:16 ossec-agentd(4102): INFO: Connected to server 10.0.1.11, port 1514. 2018/01/21 02:02:16 ossec-agent: INFO: System is Vista or newer (Microsoft Windows Server 2012 Datacenter Edition (full) (Build 9200) - OSSEC HIDS v2.9.2). 2018/01/21 02:02:16 ossec-logcollector: INFO: Started (pid: 1968). 2018/01/21 02:02:21 ossec-agent: INFO: Lock free. Continuing... 2018/01/21 02:03:32 rootcheck: INFO: Starting rootcheck scan. 2018/01/21 02:03:32 rootcheck: No winaudit file configured. 2018/01/21 02:03:32 rootcheck: No winmalware file configured. 2018/01/21 02:03:32 rootcheck: No winapps file configured. 2018/01/21 02:03:38 rootcheck: INFO: Ending rootcheck scan. 2018/01/21 04:12:21 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/21 05:30:25 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/21 08:15:10 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/21 09:33:13 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/21 11:41:59 ossec-agentd(1214): WARN: Problem receiving message from '10.0.1.11'. 2018/01/21 11:41:59 ossec-agentd(1214): WARN: Problem receiving message from '10.0.1.11'. 2018/01/21 11:41:59 ossec-agentd(1214): WARN: Problem receiving message from '10.0.1.11'. 2018/01/21 13:09:59 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/21 16:46:45 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/21 18:04:49 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/21 21:41:35 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/21 22:07:21 rootcheck: INFO: Starting rootcheck scan. 2018/01/21 22:07:21 rootcheck: No winaudit file configured. 2018/01/21 22:07:21 rootcheck: No winmalware file configured. 2018/01/21 22:07:21 rootcheck: No winapps file configured. 2018/01/21 22:07:26 rootcheck: INFO: Ending rootcheck scan. 2018/01/22 01:44:21 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/22 03:02:25 ossec-agent: More than 600 seconds without server response...sending win32info 2018/01/22 07:05:11 ossec-agent: More than 600 seconds without server response...sending win32info
Cordialement / Regards Sylvain Crouet Security Officer - Security is everybody’s responsibility Mobile +33 (0) 7 75 24 10 28 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Sylvain Crouet Sent: vendredi 22 décembre 2017 08:43 To: [email protected] Subject: RE: [ossec-list] Re: ossec-remoted high CPU Well, I will update all my 2.9.0 Windows agents to the last version. Cordialement / Regards Sylvain Crouet Security Officer - Security is everybody’s responsibility Mobile +33 (0) 7 75 24 10 28 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: jeudi 21 décembre 2017 13:57 To: [email protected] Subject: Re: [ossec-list] Re: ossec-remoted high CPU On Wed, Dec 20, 2017 at 4:48 AM, Sylvain Crouet <[email protected]> wrote: > Hello, > > > > I updated the shared agent.conf file to discard some Windows events. > But I notice that Windows 2.9.0 agents do not receive this shared > configuration file, while 2.8.3 and 2.9.2 do. Below is the ouput of > deployment checking > script: > There were some issues with Windows transferring files (had to be in binary mode or something?). I can't remember off hand when it was fixed exactly. > Current version: c0db7baf32df4a94479756bd6a8c2e63 > > 001 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 002 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 003 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 004 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 005 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 007 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 008 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 009 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 010 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 011 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 012 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 013 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 014 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 015 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 016 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 017 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 018 v2.9.0/3757083ea8656e6141cafb893b55488b NOK > > 019 v2.9.0/3757083ea8656e6141cafb893b55488b NOK > > 022 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 023 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 024 v2.9.0 NOK > > 025 v2.9.0 NOK > > > > The OSSEC server version is 2.9.2. > > Any idea? > > > > Cordialement / Regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Sylvain Crouet > Sent: mardi 19 décembre 2017 17:24 > To: [email protected] > Subject: RE: [ossec-list] Re: ossec-remoted high CPU > > > > Done, very informative indeed. Thank you Brett. > > > > Cordialement / Regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Brett Simpson > Sent: mardi 19 décembre 2017 14:42 > To: [email protected] > Subject: Re: [ossec-list] Re: ossec-remoted high CPU > > > > Do <logall>true</logall> inside your global ossec.conf directive on > the ossec server. This will log everything to > /var/ossec/logs/archives/archives.log. I would do that for 5 minutes > then disable it and look though that archive to see what is showing up. > > > > On Tue, Dec 19, 2017 at 8:35 AM, Sylvain Crouet > <[email protected]> wrote: > > Hello, > > > > How can I identify the agent on which I should do that? I already > stopped the most verbose agents, and there is no change on CPU. > > > > Cordialement / Regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Brett Simpson > Sent: jeudi 14 décembre 2017 18:38 > To: ossec-list <[email protected]> > Subject: [ossec-list] Re: ossec-remoted high CPU > > > > I would suggest you turn on debug on one of the agents and see what > the agent is trying to send versus what the server actually keeps. I > had issues with a few event IDs generating thousands of events per > second that weren't even used by the ossec server so I used a line > like this on the agent to drop them without sending. > > > > <localfile> > > <location>Application</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID != 256] and Event/System[EventID != > 258]</query> > > </localfile> > > > > <localfile> > > <location>Security</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID != 4656] and Event/System[EventID != > 4658] and Event/System[EventID != 4670] and Event/System[EventID != > 4672] and Event/System[EventID != 4688] and Event/System[EventID != > 4689] and Event/System[EventID != 4690] and Event/System[EventID != > 5152] and Event/System[EventID != 5156] and Event/System[EventID != > 5158] and Event/System[EventID != 5447]</query> > > </localfile> > > > > <localfile> > > <location>System</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID!=7000]</query> > > </localfile> > > > > > On Tuesday, December 12, 2017 at 10:04:55 AM UTC-5, Sylvain Crouet wrote: > > Hello, > > > > One of my OSSEC server is always busy (100% CPU) for some days, with > ossec-remoted between 90% and 100% CPU. This server manages about 65 > agents only. What can explain this high CPU utilization and how can I > solve it? I already restarted OSSEC services and the whole server. > > > > Cordialement / Kind regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > > > Neocase™ Software is a leading provider of integrated HR and Finance > service delivery solutions. > > www.neocasesoftware.com > > > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/ZzcTfmQTaXE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
