INFO: Event count after '20000' Log Events.

[John Matney]

Greetings,

I am running an OSSEC 2.5 server with about 25-30 agents (Windows 2003 and
XP).

On one of our agents, a Windows 2003 file server I am seeing log entries
like this:

2010/10/09 22:02:29 ossec-agent: INFO: Starting rootcheck scan.
2010/10/09 22:02:35 ossec-agent: INFO: Ending rootcheck scan.
2010/10/09 22:02:35 ossec-agent: INFO: Starting syscheck scan.
2010/10/09 22:13:02 ossec-agent: WARN: Error opening directory:
'C:\WINDOWS/System32/tftp.exe': No such file or directory
2010/10/09 23:12:10 ossec-agent: INFO: Event count after '20000':
4750663->3692048 (77%)
2010/10/10 01:57:40 ossec-agent: INFO: Ending syscheck scan.
2010/10/10 22:02:40 ossec-agent: INFO: Starting rootcheck scan.
2010/10/10 22:02:45 ossec-agent: INFO: Ending rootcheck scan.
2010/10/10 22:02:45 ossec-agent: INFO: Starting syscheck scan.
2010/10/10 22:13:12 ossec-agent: WARN: Error opening directory:
'C:\WINDOWS/System32/tftp.exe': No such file or directory
2010/10/11 02:02:06 ossec-agent: INFO: Ending syscheck scan.

The agent's config file is based on the default one installed by ossec,
with 2 exceptions.

1. File integrity checking is scheduled to run at 10pm daily
2. A large directory tree of files/directories that we wish to monitor has
been added. The tree is about 109,000 files in 350 directories.

I wish to understand the following log entries:
ossec-agent: INFO: Event count after '20000': 4750663->3692048 (77%)

Searching the web and documentation I've found some information that
entries like this appear on Windows 2003 servers with Success Object
auditing turned on. We did have both success and failure auditing turned
on for the large directory tree, however, after disabling success auditing
we still get the messages.

I have a few questions.

1. What exactly do these entries mean? Does the message indicate that
OSSEC is unable to send all of the events to the OSSEC Server? Does it
give up? In the above example, what do the 4750663->3692048 numbers mean?
Can I trust the logs and file integrity data on the OSSEC server to be
complete if I get these messages?

2. If this situation is common to Windows 2003 servers with object access
auditing enabled, has anyone found a workaround configuration?

Thanks for all your help.

John Matney

This message (including any attachments) contains
confidential information intended for a specific individual and
purpose. If you are not the intended recipient, you are hereby
notified that any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly
prohibited. If you have received this communication in error,
please notify us immediately by replying to the message,
then delete it from your system.

[dan (ddp)]

The following email exchange leads me to beliefe the message is fine.
It appears to be a compression message, detailing the compression
ratio:
http://marc.info/?l=ossec-dev&m=124163900702657&w=2