--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Ralph Durkee
-- Ralph Durkee
-- Ralph Durkee
-- Ralph Durkee
I removed the Security <localfile> from client, and now am receiving no security events, instead of all security events, so that's a small step forward. I am seeing in the ossec.log file the following error
2015/08/24 18:19:20 ossec-remoted(1405): ERROR: Message size not valid: ''.
2015/08/24 18:19:20 ossec-remoted(1217): ERROR: Error creating encrypted message.
2015/08/24 18:19:20 ossec-remoted(1217): ERROR: Error creating encrypted message.
2015/08/24 18:19:20 ossec-remoted: ERROR: Unable to send file 'merged.mg' to agent.
So I'm thinking that the server is unable to send the shared config back to the agent. Events from the agent are being received fine. Server platform is Ubuntu Server 14.04 and Windows 2008 on the agent side. I've removed the shared/agent.conf, and the message continues, so the problem isn't limited to the shared agent, but I would expect the lack of communication from the server to the agents would prevent the shared conf from working. I did a make clean and re-installed, thinking a mismatch in openssl libraries might cause the problem, but no luck. Is there a debug option or a verbose logging option to get more details on the issue?
Compile options include: -DUSE_OPENSSL -DUSEINOTIFY
Thanks for the help!
<ossec_config>
<!-- One entry for each file/Event log to monitor.
<localfile> <location>Application</location> <log_format>eventchannel</log_format> </localfile>
-->
<localfile> <location>Security</location> <log_format>eventchannel</log_format>
<query>Event/System[EventID=4740]</query>
</localfile>
<localfile> <location>System</location>
<log_format>eventchannel</log_format> <query>Event/System[Level=2]</query> </localfile>
eventcreate /t error /id 100 /l system /d "Create event in application log"
2016 Nov 02 13:18:55 (win-testdc) 10.1.1.10->WinEvtLog2016 Nov 02 13:19:24 WinEvtLog: System: ERROR(100): system: ADMIN: contoso: win-testdc.contoso.com: (no message)
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=5140 and EventID=5144]</query>
</localfile>
<query>Event/System[EventID>xxxx and EventID<yyyy]</query>
<localfile> <location>Security</location> <log_format>eventlog</log_format>
<query>Event/System[EventID = 4624 or EventID = 4625 or EventID = 4730 or EventID = 1102]</query> </localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID = 4624 or EventID = 4625 or EventID = 4730 or EventID = 1102]</query>
</localfile>