wazuh can capture and alert NTFS permissions changes of a folder?

1,070 views
Skip to first unread message

Daniel Hinojo

unread,
Feb 17, 2021, 9:54:01 PM2/17/21
to Wazuh mailing list
Good evening dear, I would like to know if wazuh can make captures and alerts about changes of NTFS permissions of a particular folder either on Windows or Linux platform. Please if you could help me

Santiago Bruno

unread,
Feb 18, 2021, 12:05:15 PM2/18/21
to Wazuh mailing list
Hi Daniel,

What you can do is to enable object access auditing for that folder via Windows policy. That would generate an event with ID 4670 when the permissions of some file in the folder is changed. You can verify that through Windows Event Viewer.

Then you can ensure that the event is sent from the agent to the manager, and create a custom rule in the manager for alerting when the field "win.system.eventID" is 4670.

By default EventID 4670 is not collected by the agent so you need to change that in the agent ossec.conf file by removing the exclusion of the event in the query of the Security eventchannel localfile section. For example if your C:\Program Files (x86)\ossec-agent\ossec.conf file has a section like this one:

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>
  
  You should remove "EventID != 4670 and ", leading to a section like this one:
  
    <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

This article can guide you in the process: https://wazuh.com/blog/how-to-monitor-folder-access-on-windows/ it is very similar but for event id 4663

You also mentioned getting these alerts from a Linux platform. That is a completely different approach and depends on how you access and modify the NTFS data from Linux. Auditing commands execution as explained in this document could be the way to go: https://documentation.wazuh.com/current/learning-wazuh/audit-commands.html
But if you can provide more information about your Linux use case we can analyze what would be the best solution.

I hope this helps you. Let me know if you have further questions.

Regards,

Santiago.

Daniel Hinojo

unread,
Feb 23, 2021, 5:06:22 PM2/23/21
to Wazuh mailing list
Thank you very much Santiago for your support. I would like to make another query, I can already see which folder the permission changed but I would like to know what type of permission was changed (Modify, Read, Write or if it was deleted, is it possible to view it in Wazuh?  

Santiago Bruno

unread,
Feb 25, 2021, 4:55:26 PM2/25/21
to Daniel Hinojo, Wazuh mailing list
Hi Daniel,

Another way for getting events about permission changes is by using Wazuh's File Integrity Monitoring (FIM) module.Sorry for not mentioning it in first place, since this way is more straightforward and will display the permissions changed as you requested.With the Windows Event 4670 you are getting now you also get that information in data.win.eventdata.oldSd and data.win.eventdata.newSd fields, but those are Security Descriptors that are harder interpret.

You can add a directories entry in the syscheck section of the agent ossec.conf file (or through centralized configuration) specifying FIM to monitor a folder in realtime:For example:
<syscheck>
...<directories realtime="yes">C:\some_folder</directories>...
</syscheck>
When changing permissions to some file in that folder or its subfolders you should get an "Integrity checksum changed." event, (rule.id 550)And you will get the permissions before and after the change in the event's syscheck.win_perm_before and syscheck.win_perm_after fieldsFor example:
{
"allowed": [
"READ_CONTROL",
"SYNCHRONIZE",
"READ_DATA",
"READ_EA",
"EXECUTE",
"READ_ATTRIBUTES"
],
"name": "Users",
"denied": [
"WRITE_DATA",
"APPEND_DATA",
"WRITE_EA",
"WRITE_ATTRIBUTES"
]
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "SYSTEM"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "Administrators"
}

I hope it helps.

Regards,

Santiago.

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/dP55RTgoiW0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d19fe0e6-2ecb-4b61-937c-369b35e9997bn%40googlegroups.com.

Daniel Hinojo

unread,
Feb 28, 2021, 3:40:43 PM2/28/21
to Wazuh mailing list
Good afternoon, thanks for your support, I have been doing tests with what you indicate but I can't get it to capture any information, configure the agent like this <! - File integrity monitoring -> <syscheck> <directories realtime = "yes"> D: \ Data \ New folder </directories> </syscheck> and reviewing the agent's logs, the following appears: 

2021/02/28 15:34:07 ossec-agent: INFO: (6003): Monitoring directory/file: 'd:\data\new folder', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2021/02/28 15:34:07 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'd:\data\new folder'.
2021/02/28 15:34:07 ossec-agent: INFO: (6041): Maximum disk quota size limit configured to '1048576 KB'.
2021/02/28 15:34:07 ossec-agent: INFO: Started (pid: 3132).
2021/02/28 15:34:07 ossec-agent: INFO: (1951): Analyzing event log: 'Application'.
2021/02/28 15:34:07 ossec-agent: INFO: (1951): Analyzing event log: 'Security'.
2021/02/28 15:34:07 ossec-agent: INFO: (1951): Analyzing event log: 'System'.
2021/02/28 15:34:07 ossec-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2021/02/28 15:34:07 sca: INFO: Module started.
2021/02/28 15:34:07 wazuh-modulesd:syscollector: INFO: Module started.
2021/02/28 15:34:07 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2021/02/28 15:34:07 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2021/02/28 15:34:07 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2021/02/28 15:34:07 sca: INFO: Starting Security Configuration Assessment scan.
2021/02/28 15:34:07 ossec-agent: INFO: Started (pid: 3132).
2021/02/28 15:34:07 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2021/02/28 15:34:07 ossec-agent: INFO: (6000): Starting daemon...
2021/02/28 15:34:07 ossec-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2021/02/28 15:34:07 rootcheck: INFO: Starting rootcheck scan.
2021/02/28 15:34:07 ossec-agent: INFO: (6008): File integrity monitoring scan started.
2021/02/28 15:34:07 ossec-agent: INFO: (6009): File integrity monitoring scan ended.
2021/02/28 15:34:07 ossec-agent: INFO: (6012): Real-time file integrity monitoring started.
2021/02/28 15:34:08 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/02/28 15:34:10 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2021/02/28 15:34:10 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2021/02/28 15:34:10 sca: INFO: Security Configuration Assessment scan finished. Duration: 0 seconds.
2021/02/28 15:34:12 rootcheck: INFO: Ending rootcheck scan. 

Santiago Bruno

unread,
Mar 2, 2021, 1:00:36 PM3/2/21
to Daniel Hinojo, Wazuh mailing list
Hi Daniel,

What changes are you doing for generating the alerts? Are you changing the permissions of files saved in "d:\data\new folder" or the permissions of the folder itself?

If you actually need to monitor permission changes on the folder, FIM might not be the right module to use because it monitors files only.

So what's the objective you are trying to accomplish?


Regards,

Santiago.

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8149db9f-9ca4-46ef-acab-42df9d24ebe0n%40googlegroups.com.

Daniel Hinojo

unread,
Mar 4, 2021, 2:44:18 PM3/4/21
to Wazuh mailing list
Hello, as I had indicated what I want to obtain is that NTF permissions (security) have been provided in the folders, sub-folders and files of type read, write, modify, full and also who changed it since the user was granted the Excuse me.

Santiago Bruno

unread,
Mar 9, 2021, 9:31:58 AM3/9/21
to Daniel Hinojo, Wazuh mailing list
Hi Daniel,Summing up what we've discussed in this mail thread, what I can say is that you may use both Windows Event 4670 monitoring (as mentioned in my first response) and FIM (as mentioned in my second response) to cover your needs.

Using event monitoring you will get events for any change in the Security properties of any file or folder that belong to a folder being audited. You mentioned you already got that working.In the events you will get who did the change in the data.win.eventdata.subjectUserName field, and you will get the security descriptor before and after the change in data.win.eventdata.oldSd and data.win.eventdata.newSd fields.
Those fields do not display the permissions in a human readable way but there are tools around to convert it such as PowerShell ConvertFrom-SddlString cmdlet
When using FIM, you will get events for permission changes in files belonging to some directory being monitored or files in subfolders, but not for permission changes in folders. The permission change in this case will be displayed in a human readable way in syscheck.win_perm_before and syscheck.win_perm_after fields, and you will also get who performed the change in the syscheck.audit.user.name field if the monitored directory is configured to get who data.For example, to monitor C:\testfolder that way, an entry like this should be added to the <syscheck> section of ossec.conf:
  <syscheck>    ...    <directories whodata="yes">C:\testfolder</directories>    ...  </syscheck>
The log you shared shows that FIM is correctly set to monitor d:\data\new folder, so you should be able to get events of permission changes made to files inside that folder, though if you also want to get who performed the change realtime should be changed with whodata.

If that still does not work for you please let me know.
Regards,Santiago. 

Daniel Hinojo

unread,
Mar 10, 2021, 6:50:44 PM3/10/21
to Wazuh mailing list
It works only if I make the modification of a file for example I have a folder in D: \ Data \ New folder when I make permissions changes in that empty folder it does not capture, but if I have a file inside for example D: \ Data \ New folder \ test.txt and I make the NTFS permissions change in the folder, the Wazuh captures me but only as a permission change in the file but not in the folder.

Daniel Hinojo

unread,
Mar 12, 2021, 5:36:56 PM3/12/21
to Wazuh mailing list
Good afternoon, how are you activating the <syscheck> on a server but now my agent stops every moment and indicates the following error. please if you could help me


2021/03/12 14:59:06 rootcheck: INFO: Started (pid: 6304).
2021/03/12 14:59:06 ossec-agent: INFO: Trying to connect to server (xxxxxx:1514/tcp).
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.
2021/03/12 14:59:06 ossec-agent: INFO: (4102): Connected to the server (xxxxxx:1514/tcp).
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Policies'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Policies'.
2021/03/12 14:59:06 ossec-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2016 Standard [Ver: 10.0.14393] - Wazuh v4.1.1).
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Security'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.
2021/03/12 14:59:06 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2021/03/12 14:59:06 wazuh-modulesd:syscollector: INFO: Module started.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.
2021/03/12 14:59:06 ossec-agent: INFO: (1951): Analyzing event log: 'Application'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.
2021/03/12 14:59:06 ossec-agent: INFO: (1951): Analyzing event log: 'Security'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.
2021/03/12 14:59:06 ossec-agent: INFO: (1951): Analyzing event log: 'System'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.
2021/03/12 14:59:06 sca: INFO: Module started.
2021/03/12 14:59:06 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2021/03/12 14:59:06 ossec-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.
2021/03/12 14:59:06 ossec-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256'
2021/03/12 14:59:06 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2021/03/12 14:59:06 ossec-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.
2021/03/12 14:59:06 sca: INFO: Starting Security Configuration Assessment scan.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2021/03/12 14:59:06 ossec-agent: INFO: (6003): Monitoring path: 'd:\data\documentos', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
2021/03/12 14:59:06 ossec-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
2021/03/12 14:59:06 ossec-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final'
2021/03/12 14:59:06 ossec-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'
2021/03/12 14:59:06 ossec-agent: INFO: Started (pid: 6304).
2021/03/12 14:59:06 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2021/03/12 14:59:06 ossec-agent: INFO: Started (pid: 6304).
2021/03/12 14:59:06 rootcheck: INFO: Starting rootcheck scan.
2021/03/12 14:59:06 ossec-agent: INFO: (6000): Starting daemon...
2021/03/12 14:59:06 ossec-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2021/03/12 14:59:06 ossec-agent: INFO: (6008): File integrity monitoring scan started.
2021/03/12 14:59:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/03/12 14:59:09 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2021/03/12 14:59:09 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\sca_win_audit.yml'
2021/03/12 14:59:09 sca: INFO: Security Configuration Assessment scan finished. Duration: 3 seconds.
2021/03/12 14:59:11 rootcheck: INFO: Ending rootcheck scan.
2021/03/12 15:42:28 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\xxxxxxxxxxx v4.xlsx'. Error code: 32
2021/03/12 15:42:28 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\pxxxxxxxxx 2021 v2.pptx'. Error code: 32
2021/03/12 15:42:29 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\~$xxxxxxxxxx 2021 v2.pptx'. Error code: 32
2021/03/12 15:42:29 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\~$xxxxxxxxxxx v4.xlsx'. Error code: 32
2021/03/12 15:59:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/03/12 15:59:13 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2021/03/12 16:40:19 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxxxxxx\12. tax 2020-12\xxxxx.xlsx'. Error code: 32
2021/03/12 16:40:21 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxxxxxxxxxxxx\~$lxxxx.xlsx'. Error code: 32
2021/03/12 16:59:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/03/12 16:59:10 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2021/03/12 17:15:26 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxx\01.xxxxxxx 2021.xlsx'. Error code: 32
2021/03/12 17:15:39 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxx\07. xxxxxxx 2021.xlsx'. Error code: 32
2021/03/12 17:15:40 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxx\~$07. xxxxxx 2021.xlsx'. Error code: 32
2021/03/12 17:15:46 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxx\05. xxxxxx.xlsx'. Error code: 32
2021/03/12 17:15:46 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxx\~$05. xxxxxxxx.xlsx'. Error code: 32
2021/03/12 17:15:49 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxx\01.1 xxxxxxxxxxxxxxxxxxxxxxxxxx.xlsx'. Error code: 32
2021/03/12 17:15:50 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxx\03.- xxxxxxxx.xlsx'. Error code: 32
2021/03/12 17:15:50 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxx\~$03.- xxxxxx.xlsx'. Error code: 32
2021/03/12 17:15:50 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxx\03.-xxxxxxxx.xlsx'. Error code: 32
2021/03/12 17:19:10 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxx\xxxxxxx.xlsx'. Error code: 32
2021/03/12 17:19:10 ossec-agent: ERROR: (6716): Could not open handle for 'd:\xxxxxx\~$3.- xxxxxx.xlsx'. Error code: 32
2021/03/12 17:19:25 ossec-agent: INFO: Received exit signal.
2021/03/12 17:19:25 ossec-agent: INFO: Exiting...
2021/03/12 17:19:25 ossec-agent: CRITICAL: At pthread_rwlock_wrlock(): Invalid argument
2021/03/12 17:19:25 ossec-agent: INFO: (1314): Shutdown received. Deleting responses.

Santiago Bruno

unread,
Mar 16, 2021, 9:17:29 AM3/16/21
to Wazuh mailing list
Hi Daniel,

Let me try to reproduce your use case in my lab, please indicate me what Wazuh manager and Wazuh agent version are you using.

If you are running a version under 4.1 it would be recommended to upgrade to 4.1 or greater (taking into account that the manager should always have a version equal or greater than the agents). Many fixes were implemented in that version.

In order to analyze the root cause of the problem it would help if the agent is set in debug mode.

That can be enabled by editing the agent C:\Program Files (x86)\ossec-agent\local_internal_options.conf file and setting this value:

windows.debug=2

and restarting the agent.

If you are able to reproduce the problem with this setting enabled and get the logs please send them to me so we can analyze the problem in more detail, and after that disable the debugging to avoid ossec.log growing too large, since windows.debug 2 is very verbose.

Sorry for the inconvenience.

Regards,

Santiago.

Daniel Hinojo

unread,
Mar 21, 2021, 3:34:04 PM3/21/21
to Wazuh mailing list
Hello Santiago, I enclose the request. from what I have reviewed I see several errors with number 32 and several errors that indicate entry in DB. The database is full, check your configuration. I have tried with a folder with fewer files and there if the agent does not stop but when I place it to check from the root of a folder I get those errors. Please if you could help me. Thanks

2021/03/21 12:00:48 ossec-agent[5300] file_op.c:1279 at get_UTC_modification_time(): ERROR: (6716): Could not open handle for 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\01.control de taxi sr 2021.xlsx'. Error code: 32
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\01.control de taxi sr 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\01.control de terceros 2021\01. control de registro manual terceros enero 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\01.control de terceros 2021\08. control de registro manual terceros febrero 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\ reporte de empresas que labora en sr 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\garita 2021\01. control de entrega de epps sr 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\garita 2021\ formato parada sr 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\garita 2021\03. centro de costos 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\garita 2021\04. cartas  fianza  sr 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\garita 2021\05. llaves XXXXX sr  2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\03. control de correspondencia 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\01. control de buses XXXXX sr 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] file_op.c:1279 at get_UTC_modification_time(): ERROR: (6716): Could not open handle for 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\03. reporte de buses personal XXXXX y terceros inhouse marzo 21.xlsx'. Error code: 32
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\03. reporte de buses personal XXXXX y terceros inhouse marzo 21.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\04. formato de buses 2021.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\reporte de buses 2021\01. reporte de buses personal XXXXX y terceros inhouse enero2021 nuevo.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\reporte de buses 2021\ reporte de buses personal XXXXX y terceros inhouse enero 21.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\reporte de buses 2021\03. reporte de buses personal XXXXX y terceros inhouse febrero 21.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\~$01. reporte de buses personal XXXXX y terceros inhouse enero 21.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\~$ reporte de buses personal XXXXX y terceros inhouse enero 21 nuevo.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\~$ reporte de buses personal XXXXX y terceros inhouse febrero 21.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX gestion 2021\~$03. reporte de buses personal XXXXX y terceros inhouse marzo 21.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:00:48 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\XXXXX\XXXXX\ XXXXXXXX\5. XXXXXXXX XXXXXX\04. control de contrometros sr.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:32 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 25.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:32 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:32 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 27.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:32 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:32 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 28.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:32 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:32 ossec-agent[5300] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2021/03/21 12:10:32 ossec-agent[5300] notify.c:115 at run_notify(): DEBUG: Sending agent notification.
2021/03/21 12:10:32 ossec-agent[5300] notify.c:171 at run_notify(): DEBUG: Sending keep alive: #!-Microsoft Windows Server 2016 Standard [Ver: 10.0.14393] - Wazuh v4.1.1 / ab73af41699f13fdd81903b5f23d8d00
fd756ba04d9c32c8848d4608bec41251 merged.mg
#"_agent_ip":XXXXXX

2021/03/21 12:10:32 ossec-agent[5300] receiver-win.c:128 at receiver_thread(): DEBUG: Received message: '#!-agent ack '
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 29.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 3.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 30.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 31.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 32.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 33.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 5.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 6.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 8.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354 - 9.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - 185503354.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\nueva carpeta\productos tissue - XX - 185503354 - 7.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\productos tissue - XX - 185503354 - 10.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\productos tissue - XX - 185503354 - 16.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\productos tissue - XX - 185503354 - 21.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\productos tissue - XX - 185503354 - 26 - copia.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:33 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\productos tissue - XX - 185503354 - 26.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:33 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] state.c:67 at write_state(): DEBUG: Updating state file.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\productos tissue - XX - 185503354 - 4.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\productos tissue - XX - 185503354 - 7.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra de doc -\otro\productos tissue - XX - 185503354 - 9.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 10.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 11.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 12.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 13.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 14.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 15.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:34 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:34 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 16.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2021/03/21 12:10:35 ossec-agent[5300] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 2.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 20.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 21.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 25.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 26.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 28.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 29.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 3.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 31.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 32.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 4.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 5.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 6.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 7.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX - XX - 185503354 - 9.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\muestra solicitada\3. programación de transportes\indicar qué periodo necesita.txt' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\xxx\4. rxxxx\días pulmón por provincia.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\xxxx de información.xlsx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\requerimiento inicial_XXXXXX s.a..docx' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:35 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\carta fianza cjb.pdf' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:35 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:36 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\cruce de información de matrculas vs transportes.xls' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:36 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:36 ossec-agent[5300] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2021/03/21 12:10:37 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\gastos de transporte por documento y familia.xls' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:37 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:37 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\gastos de transporte por documento.xls' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:37 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:37 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\ppt-ingresos de pt almacen 002-104.xls' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:37 ossec-agent[5300] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.
2021/03/21 12:10:37 ossec-agent[5300] read_syslog.c:134 at read_syslog(): DEBUG: Read 0 lines from active-response\active-responses.log
2021/03/21 12:10:37 ossec-agent[5300] logcollector.c:346 at LogCollectorStart(): DEBUG: Performing file check.
2021/03/21 12:10:38 ossec-agent[5300] fim_db_files.c:365 at fim_db_insert(): DEBUG: Couldn't insert 'X:\XXXX\XXXXXX\auditoria interna peru\01-XXXXXX\periodo 2014\ciclos auditados 2014_XXXXXX\XXXXXX\zmm1058_auditor09_20140808_1936.xls' entry into DB. The DB is full, please check your configuration.
2021/03/21 12:10:39 ossec-agent[5300] state.c:67 at write_state(): DEBUG: Updating state file.
2021/03/21 12:10:42 ossec-agent[5300] notify.c:115 at run_notify(): DEBUG: Sending agent notification.
2021/03/21 12:10:44 ossec-agent[5300] state.c:67 at write_state(): DEBUG: Updating state file.

Blason R

unread,
Mar 21, 2021, 11:01:16 PM3/21/21
to Santiago Bruno, Wazuh mailing list
That was good information. In fact sometimes I feel a separate KB book must be released for such simple solutions. Good one!!

Santiago Bruno

unread,
Mar 22, 2021, 5:05:08 PM3/22/21
to Wazuh mailing list
Hi Daniel,

The error with code 32 was fixed in this issue #7869 and will be included in a future release of Wazuh, but that is not causing the agent to stop.

The other message about "The DB is full, please check your configuration" appears because the number of monitored files exceeds a limit set in the configuration file.
Please check your agent configuration file where you should have a file_limit section in your sysconfig section. It may look like this:

<file_limit>
    <enabled>yes</enabled>
    <entries>100000</entries>
</file_limit>


To avoid that, you may either change enabled value to no or increase the number of entries.

If you can do that change and have the agent in debug and restart the service, then you may be able to reproduce the problem, and find the line containing At pthread_rwlock_wrlock(): Invalid argument as in the previous error.  That log will be useful for identifying the cause.

Thanks,

Santiago

Daniel Hinojo

unread,
May 3, 2021, 2:03:52 PM5/3/21
to Wazuh mailing list
Good morning Dear, Sorry for the delay, update the Wazuh to the latest version 4.1.5 but I still continue with the same problem, the agent stops, I attach the collected logs with the command windows.debug = 2


Please if you could help me


Daniel Folch

unread,
May 5, 2021, 7:07:01 AM5/5/21
to Wazuh mailing list

Hello Daniel,

Sorry for the late response, from the log you sent I cannot see any problem with the agent related to the manager connection, as I can see the agent sending an acknowledgment to the manager every few seconds:

2021/05/03 11:56:52 ossec-agent[7384] notify.c:115 at run_notify(): DEBUG: Sending agent notification. 
2021/05/03 11:56:52 ossec-agent[7384] notify.c:171 at run_notify(): DEBUG: Sending keep alive: #!-Microsoft Windows Server 2016 Standard [Ver: 10.0.14393] - Wazuh v4.1.5 / ab73af41699f13fdd81903b5f23d8d00 
fd756ba04d9c32c8848d4608bec41251 merged.mg 
#"_agent_ip":10.16.2.3

And I cannot see any ERROR or CRITICAL messages that would cause the Wazuh agent to stop working.

Can you explain the problem more in detail? Is your agent going between Active and disconnected state or is it just never connects?

Can you check the manager logs for any message related to this agent such as dropped messages or disconnections? Also, are you using UDP or TCP to connect the manager and the agent, if you are using UDP maybe some ACK messages from the agent are getting lost due to FIM sending too many messages.

Recently we found this issue while running stress tests, where an agent stopped sending messages to the manager for some time.

Finally, I can see this error coming from syscheck:

2021/05/03 11:56:53 ossec-agent[7384] syscheck_op.c:885 at copy_ace_info(): DEBUG: No information could be extracted from the account linked to the SID. Error: 1332.

I have researched it and it seems that this error is caused by this other Windows error:

Error 1332: No mapping between account names and security IDs was done.

Regards,
Daniel Folch

Daniel Hinojo

unread,
May 5, 2021, 8:42:13 PM5/5/21
to Wazuh mailing list
Good night Daniel, I explain my problem. 

 When the agent is running after 4 hours approx. The service stops, it goes from a running state to a stope after that time, I have noticed this problem that occurs when I put in the configuration that monitors the integrity of my file server root folder, when I put another folder with smaller subfolders and files it works normal the agent does not stop. I currently have version 4.1.5 and it is monitored by tcp.

Daniel Folch

unread,
May 10, 2021, 4:14:42 AM5/10/21
to Wazuh mailing list

Hello Daniel,

I saw that in the log you shared the agent was not monitoring the root directory,

2021/05/03 09:55:58 ossec-agent[7384] syscheck.c:182 at Start_win32_Syscheck(): INFO: (6003): Monitoring path: 'x:\xxxx\xxxxx', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.

Can you share if the logs of an agent monitoring the root directory? Also the manager logs arround the time of the agent disconnection may also help to shed light on this problem.

Recently this we fixed this issue, that caused the agents to stop working if a Windows register containing the : character was being monitored.

Usually monitoring the whole root directory is not recommended because both the scan and the db sync can take too long.

Regards,
Daniel Folch

Reply all
Reply to author
Forward
0 new messages