Ossec-agent: More than 600 seconds without server response...sending win32info
1,391 views
Skip to first unread message
Ameya Bhatkal
Aug 10, 2014, 10:03:44 PM8/10/14
to ossec...@googlegroups.com
Hi Everyone,
I am running Ossec HIDS 2.8 on Server mode on Ubuntu 14.04
I have installed around 5-6 Ossec client agents with active response disabled on windows 7 machines.
My problem is that my ossec.log file which is present in the Ossec client machine is filled with the following error messages:
"Ossec-agent: More than 600 seconds without server response...sending win32info"
There is no firewall present between the Server and the agents. Every 3rd or 4th line of the ossec.log file contains the above error.
Could anyone help me out with this issue?
dan (ddp)
Aug 11, 2014, 12:49:30 PM8/11/14
to ossec...@googlegroups.com
manager overloaded?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Ameya Bhatkal
Aug 14, 2014, 4:31:23 AM8/14/14
to ossec...@googlegroups.com
Hi Dan,
The agents are connected. I don't think that the Server is overloaded since only 2 workstations are being monitored!
dan (ddp)
Aug 14, 2014, 9:27:01 AM8/14/14
to ossec...@googlegroups.com
On Thu, Aug 14, 2014 at 4:31 AM, Ameya Bhatkal <ame...@gmail.com> wrote:
> Hi Dan,
>
> The agents are connected. I don't think that the Server is overloaded since
> only 2 workstations are being monitored!
>
Did you check or just guess? Is there anything in the manager's ossec.log?
> Hi Dan,
>
> The agents are connected. I don't think that the Server is overloaded since
> only 2 workstations are being monitored!
>
>
> On Monday, August 11, 2014 7:33:44 AM UTC+5:30, Ameya Bhatkal wrote:
>>
>> Hi Everyone,
>>
>> I am running Ossec HIDS 2.8 on Server mode on Ubuntu 14.04
>>
>> I have installed around 5-6 Ossec client agents with active response
>> disabled on windows 7 machines.
>>
>> My problem is that my ossec.log file which is present in the Ossec client
>> machine is filled with the following error messages:
>>
>> "Ossec-agent: More than 600 seconds without server response...sending
>> win32info"
>>
>> There is no firewall present between the Server and the agents. Every 3rd
>> or 4th line of the ossec.log file contains the above error.
>>
>> Could anyone help me out with this issue?
>
Chard
Sep 19, 2014, 7:46:02 AM9/19/14
to ossec...@googlegroups.com
Hi All,
Ameya did you ever get a solution to this?
As I have the same problem as this, but I have firewalls with UDP port 1514 open and the server isn't showing any signs of being overloaded.
My agents can send log files to the ossec server and the server can send its shared configuration files to each ossec agents. Which would mean that the connect between server and client is fine? Yet I still get the error message "Ossec-agent: More than 600 seconds without server response...sending win32info" on the client side.
Just wondering does the ossec server use a different port for some responses dealing with 'win32info'?
Ben
Mar 24, 2016, 4:17:29 PM3/24/16
to ossec-list
Hi,
I got the same issue here, exact same problem with 2.8.3 version. Any Help? Thanks.
Santiago Bassett
Mar 24, 2016, 5:51:30 PM3/24/16
to ossec...@googlegroups.com
Could it be a network issue? I would try running tcpdump both on the agent and on the manager. It looks like manager responses are not getting to the agents somehow.
Manuel, Hal
Mar 25, 2016, 8:53:49 AM3/25/16
to ossec...@googlegroups.com
For what it’s worth, I’ve seen the same thing happen on our windows agents….tried debugging it for weeks & couldn’t figure anything out so I just gave up. It seemed to be intermittent when I dug into it before.
--
Hal Manuel
Sr. Director, Content & Technical Operations
Cengage Learning | Questia | Highbeam Research
Viktor Buchkivskyi
Apr 28, 2016, 11:19:05 AM4/28/16
to ossec-list
Hi guys,
i've encountered the same issue with windows agents with ossec v2.8.3 (server and clients)
linux lients - not affected
windows clients - thowing this message "ossec-agent: More than 600 seconds without server response...sending win32info" every 10 min
it looks like that after ossec-hids server has been restarted - windows clients are no longer able to connect to server
Santiago Bassett
May 9, 2016, 3:23:37 PM5/9/16
to ossec...@googlegroups.com
I think this message just means that the agent has not exchanged data with the manager during those 10 minutes, and it is just sending a keepalive message to let it know that it is running. Just informational and nothing to be worried about.
Regarding agents not connecting back after a restart, that is a totally different thing. Usually it could take a few minutes to get them back, this can be specified in agent config with time-reconnect variable (by default 180secs I think)
Best regards
--
Reply all
Reply to author
Forward
0 new messages