Unable to send message to server
2,410 views
Skip to first unread message
anderscooter
Jan 14, 2011, 11:16:02 AM1/14/11
to ossec-list
We are connecting to the server, but get these message 'Unable to send
message to server". I enabled debugging but I cannot seem to find a
reason for the messages. This is only happening on a couple servers
and cannot find any commonality among the affected machines.
2011/01/14 09:02:50 ossec-agent(4102): INFO: Connected to the server
(xx.xxx.xxx.xxx:1514).
2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log:
'Application'.
2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log:
'Security'.
2011/01/14 09:02:53 ossec-agent(1951): INFO: Analyzing event log:
'System'.
2011/01/14 09:02:53 ossec-agent: INFO: Started (pid: 2508).
2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck scan
(forwarding database).
2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck database (pre-
scan).
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\boot.ini': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/CONFIG.NT': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/AUTOEXEC.NT': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/debug.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/drwatson.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/drwtsn32.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/edlin.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/eventtriggers.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/rcp.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/rexec.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/rsh.exe': No such file or directory
2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/telnet.exe': No such file or directory
2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/tftp.exe': No such file or directory
2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/tlntsvr.exe': No such file or directory
2011/01/14 09:03:51 ossec-agent: INFO: Finished creating syscheck
database (pre-scan completed).
2011/01/14 09:04:01 ossec-agent: INFO: Ending syscheck scan
(forwarding database).
2011/01/14 09:04:21 ossec-agent: INFO: Starting rootcheck scan.
2011/01/14 09:04:26 ossec-agent: INFO: Ending rootcheck scan.
2011/01/14 09:06:29 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 09:15:12 ossec-agent: INFO: Event count after '20000':
17316711->10266128 (59%)
2011/01/14 09:28:17 ossec-agent: INFO: Event count after '20000':
17313995->10316576 (59%)
2011/01/14 09:36:07 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 09:41:54 ossec-agent: INFO: Event count after '20000':
17270398->10257672 (59%)
2011/01/14 09:48:51 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 09:53:55 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 09:54:08 ossec-agent: INFO: Event count after '20000':
17289252->10263464 (59%)
2011/01/14 10:01:19 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 10:09:22 ossec-agent: INFO: Event count after '20000':
17223575->10223496 (59%)
message to server". I enabled debugging but I cannot seem to find a
reason for the messages. This is only happening on a couple servers
and cannot find any commonality among the affected machines.
2011/01/14 09:02:50 ossec-agent(4102): INFO: Connected to the server
(xx.xxx.xxx.xxx:1514).
2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log:
'Application'.
2011/01/14 09:02:50 ossec-agent(1951): INFO: Analyzing event log:
'Security'.
2011/01/14 09:02:53 ossec-agent(1951): INFO: Analyzing event log:
'System'.
2011/01/14 09:02:53 ossec-agent: INFO: Started (pid: 2508).
2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck scan
(forwarding database).
2011/01/14 09:03:49 ossec-agent: INFO: Starting syscheck database (pre-
scan).
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\boot.ini': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/CONFIG.NT': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/AUTOEXEC.NT': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/debug.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/drwatson.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/drwtsn32.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/edlin.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/eventtriggers.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/rcp.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/rexec.exe': No such file or directory
2011/01/14 09:03:49 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/rsh.exe': No such file or directory
2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/telnet.exe': No such file or directory
2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/tftp.exe': No such file or directory
2011/01/14 09:03:51 ossec-agent: WARN: Error opening directory: 'C:
\Windows/System32/tlntsvr.exe': No such file or directory
2011/01/14 09:03:51 ossec-agent: INFO: Finished creating syscheck
database (pre-scan completed).
2011/01/14 09:04:01 ossec-agent: INFO: Ending syscheck scan
(forwarding database).
2011/01/14 09:04:21 ossec-agent: INFO: Starting rootcheck scan.
2011/01/14 09:04:26 ossec-agent: INFO: Ending rootcheck scan.
2011/01/14 09:06:29 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 09:15:12 ossec-agent: INFO: Event count after '20000':
17316711->10266128 (59%)
2011/01/14 09:28:17 ossec-agent: INFO: Event count after '20000':
17313995->10316576 (59%)
2011/01/14 09:36:07 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 09:41:54 ossec-agent: INFO: Event count after '20000':
17270398->10257672 (59%)
2011/01/14 09:48:51 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 09:53:55 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 09:54:08 ossec-agent: INFO: Event count after '20000':
17289252->10263464 (59%)
2011/01/14 10:01:19 ossec-agent(1218): ERROR: Unable to send message
to server.
2011/01/14 10:09:22 ossec-agent: INFO: Event count after '20000':
17223575->10223496 (59%)
dan (ddp)
Jan 14, 2011, 12:26:34 PM1/14/11
to ossec...@googlegroups.com
Hi anderscooter,
On Fri, Jan 14, 2011 at 11:16 AM, anderscooter <dav.a.a...@gmail.com> wrote:
> We are connecting to the server, but get these message 'Unable to send
> message to server". I enabled debugging but I cannot seem to find a
> reason for the messages. This is only happening on a couple servers
> and cannot find any commonality among the affected machines.
>
Try checking the ossec.log on the manager, to see if there are any
helpful messages there.
Also, make sure all agents have a unique IP in manage_agents (or are
using a CIDR, that doesn't have to be unique).
anderscooter
Jan 14, 2011, 3:10:25 PM1/14/11
to ossec-list
Yes the IP address is unique. I will have to get with the Unix team to
see if they can enable debugging on the server. They did look at the
logs with out debugging on and didn't see anything out of the
ordinary.
And on high level debugging on the Windows Agent it will says things
like this over and over again with the same "Audit Success IDs" and it
looks like its all the WinEvtLogs.
2011/01/14 14:03:17 ossec-agent: DEBUG: Attempting to send message to
server.
2011/01/14 14:03:17 ossec-agent: DEBUG: Sending message to server:
'WinEvtLog: Security: AUDIT_SUCCESS(5145)
> > 17223575->10223496 (59%)- Hide quoted text -
>
> - Show quoted text -
see if they can enable debugging on the server. They did look at the
logs with out debugging on and didn't see anything out of the
ordinary.
And on high level debugging on the Windows Agent it will says things
like this over and over again with the same "Audit Success IDs" and it
looks like its all the WinEvtLogs.
2011/01/14 14:03:17 ossec-agent: DEBUG: Attempting to send message to
server.
2011/01/14 14:03:17 ossec-agent: DEBUG: Sending message to server:
'WinEvtLog: Security: AUDIT_SUCCESS(5145)
>
> - Show quoted text -
anderscooter
Jan 14, 2011, 4:52:21 PM1/14/11
to ossec-list
It looks like the problem at remote sites with large security logs and
every so often one of the message updates fail. We really don't need
to monitor the Windows Event logs. Is the only way to do this in the
Windows Agent config or can this be done at the OSSEC server level.
> > - Show quoted text -- Hide quoted text -
every so often one of the message updates fail. We really don't need
to monitor the Windows Event logs. Is the only way to do this in the
Windows Agent config or can this be done at the OSSEC server level.
dan (ddp)
Jan 14, 2011, 5:27:02 PM1/14/11
to ossec...@googlegroups.com
On Fri, Jan 14, 2011 at 4:52 PM, anderscooter <dav.a.a...@gmail.com> wrote:
> It looks like the problem at remote sites with large security logs and
> every so often one of the message updates fail. We really don't need
> to monitor the Windows Event logs. Is the only way to do this in the
> Windows Agent config or can this be done at the OSSEC server level.
>
> It looks like the problem at remote sites with large security logs and
> every so often one of the message updates fail. We really don't need
> to monitor the Windows Event logs. Is the only way to do this in the
> Windows Agent config or can this be done at the OSSEC server level.
>
It'll have to be done in the agent's configuration, unless you utilize
the agent.conf central configuration.
If you want to use the agent.conf in the future, you can pretty much
remove everything out of the agent's ossec.conf except the IP of the
server and rely on the agent.conf for the rest of the configuration.
dan (ddp)
Jan 18, 2011, 12:13:36 PM1/18/11
to ossec...@googlegroups.com
On Fri, Jan 14, 2011 at 4:52 PM, anderscooter <dav.a.a...@gmail.com> wrote:
> It looks like the problem at remote sites with large security logs and
> every so often one of the message updates fail. We really don't need
> to monitor the Windows Event logs. Is the only way to do this in the
> Windows Agent config or can this be done at the OSSEC server level.
>
> every so often one of the message updates fail. We really don't need
> to monitor the Windows Event logs. Is the only way to do this in the
> Windows Agent config or can this be done at the OSSEC server level.
>
I had an agent (not windows...) giving the same error about not being
able to send the message to the server. I re-imported the key and it
seems to have fixed things.
Reply all
Reply to author
Forward
0 new messages