ossec 2.3 still has problems with Windows servers

4 views
Skip to first unread message

Peter M. Abraham

unread,
Dec 7, 2009, 2:24:33 PM12/7/09
to ossec-list
Greetings:

After upgrading the ossec server, and all agents I'm still seeing the
following in /var/ossec/logs/ossec.log on the server end:

2009/12/07 13:55:51 ossec-remoted: Invalid message from
'abc.def.hij.klm' (strchr \n)
2009/12/07 14:04:14 ossec-remoted: Invalid message from
'abc.def.hij.klm' (strchr \n)
2009/12/07 14:04:14 ossec-remoted: Invalid message from
'abc.def.hij.klm' (strchr \n)
2009/12/07 14:04:14 ossec-remoted: Invalid message from
'abc.def.hij.klm' (strchr \n)
2009/12/07 14:04:14 ossec-remoted: Invalid message from
'abc.def.hij.klm' (strchr \n)

Where the IP's are from our Window servers.

Thoughts?

Thank you.

Peter M. Abraham

unread,
Dec 10, 2009, 10:12:22 AM12/10/09
to ossec-list
Bump

Daniel Cid

unread,
Dec 11, 2009, 9:48:31 AM12/11/09
to ossec...@googlegroups.com
Hi Peter,

What is the version of these agents? This issue was fixed a while
ago... However, it
shouldn't affect how OSSEC works, just some noise in the logs.

Btw, how many files do you have inside the shared directory for that
agent? And what
is the output of agent_control -i for them?

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Peter M. Abraham

unread,
Dec 11, 2009, 10:50:11 AM12/11/09
to ossec-list
Greetings Daniel:

All of the agents and the server are on 2.3.

In C:\Program Files\ossec-agent\shared on the Windows server with the
most error has five (5) files in shared.

rootkit_files.txt
rootkit_trojans.txt
win_applications_rcl.txt
win_audit_rcl.txt
win_malware_rcl.txt

/var/ossec/bin/agent_control -i 008

OSSEC HIDS agent_control. Agent information:
Agent ID: 008
Agent Name: [machine name]
IP address: [public ip address]
Status: Active

Operating system: Microsoft Windows Server 2003 R2 Standard
Edition Se..
Client version: (null)
Last keep alive: Fri Dec 11 10:48:15 2009

Syscheck last started at: Unknown
Rootcheck last started at: Unknown


Please let me know if you need anything else.

Thank you.

Peter M. Abraham

unread,
Dec 16, 2009, 3:03:37 PM12/16/09
to ossec-list
Reply all
Reply to author
Forward
0 new messages