Windows Agent Crash

[Beau Poor]

On one of my servers that has the Windows Agent installed, running Windows Server 2012 R2 Datacenter, the agent keeps crashing.

The last error in the log file is:

ossec-agent: ERROR: Could not WideCharToMultiByte() when determining size which returned (1113)

Event viewer shows Application Error:

Faulting application name: ossec-agent.exe, version: 0.0.0.0, time stamp: 0x5ccace91

Faulting module name: msvcrt.dll, version: 7.0.9600.17415, time stamp: 0x54504b2e

Exception code: 0xc0000005

Fault offset: 0x00013056

Faulting process id: 0x2f64

Faulting application start time: 0x01d50c08cc627f75

Faulting application path: C:\Program Files (x86)\ossec-agent\ossec-agent.exe

Faulting module path: C:\Windows\SYSTEM32\msvcrt.dll

Report Id: a17ce160-7805-11e9-80f7-000d3a5dcaf8

Faulting package full name: 

Faulting package-relative application ID: 

Please let me know what other information is needed.

[Borja Arroba]

Hi Beau Poor,

Thank you very much for the report, we are investigating what may be the cause of the error. I’m going to open an issue in our GitHub repository, could you give us some more information?

• What version of Wazuh are you using?
• Are you using some localfile with EventChannel or eventlog configuration?
  Like:

  <log_format>eventchannel </log_format>
  <log_format>eventlog</log_format>
  

• Are you using Syscheck with the Whodata option?

Could you please send the configuration in case any of the above matches?

Thank you in advance.
Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/62e54b84-da95-4e29-a3a0-6bf8a2a425f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Beau Poor]

Hello Borja, 

I installed the agent using wazuh-agent-3.9.0-1.msi installer for windows.

I have actually not modified the configuration, so it's using the default config. 

It looks like that has the following config for localfile:

<localfile>

    <location>Application</location>

    <log_format>eventchannel</log_format>

  </localfile>

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and

      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and

      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and

      EventID != 5152 and EventID != 5157]</query>

  </localfile>

  <localfile>

    <location>System</location>

    <log_format>eventchannel</log_format>

  </localfile>

[Borja Arroba]

Hi Beau

I just opened this issue in relation to your report. You will soon be able to see in which version the fix will come out.

https://github.com/wazuh/wazuh/issues/3341

Thank you again for reporting the problem. We will work to resolve it as soon as possible.

Regards.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d14070f3-2a7b-407f-a7e3-bd3d6943ecc1%40googlegroups.com.

[Beau Poor]

Thank you. I appreciate the help!