windows agent's service is going down

508 views
Skip to first unread message

Miki Alkalay

unread,
Jun 4, 2019, 4:06:52 AM6/4/19
to Wazuh mailing list
Hi Wazuh fan,

i have an issue s with some of the windows clients, the agent is going down sporadically,
the agent version is: 3.7.2 and the manager is 3.8.2 (the sysmon is not working with agent version 3.8.2)

the ossec.log on the client show:onses.

2019/06/03 16:34:17 ossec-agent: ERROR: Could not EvtFormatMessage() with flags (1) which returned (15033)

2019/06/03 16:34:17 ossec-agent: ERROR: Could not get message for (Microsoft-Windows-Sysmon/Operational)

2019/06/03 16:48:52 ossec-agent: ERROR: Could not EvtFormatMessage() with flags (1) which returned (15033)

2019/06/03 16:48:52 ossec-agent: ERROR: Could not get message for (Microsoft-Windows-Sysmon/Operational)

2019/06/03 17:02:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2019/06/03 17:03:04 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2019/06/03 17:33:09 ossec-agent: INFO: Received exit signal.

2019/06/03 17:33:09 ossec-agent: INFO: Exiting...

2019/06/03 17:33:09 ossec-agent: INFO: (1314): Shutdown received. Deleting responses.


and the app event log shows:


 Faulting application name: ossec-agent.exe, version: 0.0.0.0, time stamp: 0x5c2f2e53

Faulting module name: libwinpthread-1.dll, version: 1.0.0.0, time stamp: 0x5687f7da

Exception code: 0xc0000005

Fault offset: 0x000030bc

Faulting process id: 0x51cc

Faulting application start time: 0x01d51aaa1839adaf

Faulting application path: C:\Program Files (x86)\ossec-agent\ossec-agent.exe

Faulting module path: C:\Program Files (x86)\ossec-agent\libwinpthread-1.dll

Report Id: 6e3f77dc-c582-4c53-b890-55b60a9a92d2

Faulting package full name:


please advise:


Faulting application name: ossec-agent.exe, version: 0.0.0.0, time stamp: 0x5c2f2e53

Faulting module name: libwinpthread-1.dll, version: 1.0.0.0, time stamp: 0x5687f7da

Exception code: 0xc0000005

Fault offset: 0x000030bc

Faulting process id: 0x51cc

Faulting application start time: 0x01d51aaa1839adaf

Faulting application path: C:\Program Files (x86)\ossec-agent\ossec-agent.exe

Faulting module path: C:\Program Files (x86)\ossec-agent\libwinpthread-1.dll

Report Id: 6e3f77dc-c582-4c53-b890-55b60a9a92d2

Faulting package full name:



 

Cristina Garrido López

unread,
Jun 4, 2019, 6:06:23 AM6/4/19
to Wazuh mailing list
Hi Miki,

I have been trying to reproduce your issue and have a few questions. Could you please tell me your Windows version and its primary language?
With this error code, 15033, Windows is complaining that the local resource is not present for this message, which may be related to your system language as it searches for a word in English.

Could you share your configuration? Are you using eventlog or eventchannel log format to monitor Sysmon? Are you getting the Sysmon logs at the Event Viewer?

Regarding the faulting application report, could you tell me if you are monitoring some other channels and with which log format?

Kind regards,
Cristina

Miki Alkalay

unread,
Jun 5, 2019, 6:17:35 AM6/5/19
to Cristina Garrido López, Wazuh mailing list
Hi,
I'm using eventchannel.
i'm getting the sysmon event on the event viewer 
we are monitoring all the relevnt event log -> security app and system as well.
log format is eventlog
the machines are windows 10

Miki

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/50861a3f-d164-452a-9f24-a7fefb9751fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

Cristina Garrido López

unread,
Jun 7, 2019, 10:16:14 AM6/7/19
to Wazuh mailing list
Hi Miki,

Eventlog does not support non-generic channels, it just only can monitor the main System, Security and Application channels. This might be your problem as it cannot find the message for Sysmon events. You can change the log format to eventchannel in version 3.7.2 which has the same format as eventlog or upgrade to 3.9 (both manager and agent) and use the new eventchannel with JSON format. If you have any doubt, I will be glad to help you.

Kind regards,
Cristina
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/50861a3f-d164-452a-9f24-a7fefb9751fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Miki Alkalay

unread,
Jun 10, 2019, 5:23:20 AM6/10/19
to Cristina Garrido López, Wazuh mailing list
Hi,
I'm using eventchannel.
please let me know where i'm wrong.

Miki

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/50861a3f-d164-452a-9f24-a7fefb9751fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/13b85ec9-dd82-46cb-8279-61d682a31eca%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cristina Garrido López

unread,
Jun 11, 2019, 2:58:01 AM6/11/19
to Wazuh mailing list
Hi Miki,

Versions 3.7.2 and 3.8.2 shouldn't be mixed when using EventChannel, as it has experienced a big change since 3.8.0. You could downgrade also your manager to 3.7.2 and keep using the old EventChannel. However, if you want to use the new EventChannel, to monitor the Sysmon channel and see alerts, you should upgrade to 3.9.2 both, agent and manager, as 3.8.2 had a typo in the parent rule for this channel. Let me know if you have any doubts or if there is something I can do to help.

Kind regards,
Cristina
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/50861a3f-d164-452a-9f24-a7fefb9751fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--

Best Regards

Miki Alkalay
Mobile: 972-54-6496293

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/13b85ec9-dd82-46cb-8279-61d682a31eca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages