Windows agent install - ossec-agent: ERROR: Could not move & Could not rename
581 views
Skip to first unread message
Robert H
Mar 27, 2018, 4:17:05 PM3/27/18
to Wazuh mailing list
Hi,
We are seeing the below errors during an authd msi agent install using the msi agent file, 3.2.1
2018/03/27 09:25:27 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
I have found 2 posts from 2016 about this where Victor recommended checking the permissions on the tmp and bookmarks directories. We have done this and their are confirmed okay.
Confirmed that folders "tmp" and "bookmarks" had total permissions for the "SYSTEM" user and the "Administrators" group.
The other recommendation was to uninstall and reinstall. There was not a definite resolution in either post. Is this something that can be ignored? Has it been fixed in some way?
Regards,
Robert
Robert H
Mar 27, 2018, 4:41:42 PM3/27/18
to Wazuh mailing list
Here are the 2 other threads that I found for this issue, but did not see a resolution in either of them.
And the agent log file:
2018/03/27 09:24:58 ossec-agent: INFO: Using notify time: 10 and max time to reconnect: 60
2018/03/27 09:24:58 ossec-agent: INFO: Started (pid: 6216).
2018/03/27 09:24:58 ossec-agent: INFO: (1410): Reading authentication keys file.
2018/03/27 09:24:58 ossec-agent: INFO: Trying to connect to server (<hidden>:1514).
2018/03/27 09:24:58 ossec-agent: INFO: Starting syscheckd thread.
2018/03/27 09:24:58 rootcheck: INFO: Started (pid: 6216).
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]'.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/regedit.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/system.ini', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/win.ini', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/at.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/attrib.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/cacls.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/cmd.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/drivers/etc', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/eventcreate.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/ftp.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/lsass.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/net.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/net1.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/netsh.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/reg.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/regedt32.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/regsvr32.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/runas.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/sc.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/schtasks.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/sethc.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/subst.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/wbem/WMIC.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/WindowsPowerShell\v1.0\powershell.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/winrm.vbs', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/at.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/attrib.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/cacls.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/cmd.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/drivers/etc', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/eventcreate.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/ftp.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/net.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/net1.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/netsh.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/reg.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regedit.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regedt32.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regsvr32.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/runas.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/sc.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/schtasks.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/sethc.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/subst.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/wbem/WMIC.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/WindowsPowerShell\v1.0\powershell.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/winrm.vbs', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Monitoring directory: 'C:\ProgramData/Microsoft/Windows/Start Menu/Programs/Startup', with options perm | size | owner | group | md5sum | sha1sum | realtime | mtime | inode.
2018/03/27 09:24:58 ossec-agent: INFO: Started (pid: 6216).
2018/03/27 09:24:58 ossec-agent: INFO: (4102): Connected to the server (<hidden>:1514).
2018/03/27 09:24:58 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2018/03/27 09:24:58 ossec-agent: INFO: System is Vista or newer (Microsoft Windows 7 Professional Service Pack 1 [Ver: 6.1.7601] - Wazuh v3.2.1).
2018/03/27 09:24:58 ossec-agent: INFO: (1951): Analyzing event log: 'Application'.
2018/03/27 09:24:58 ossec-agent: INFO: (1951): Analyzing event log: 'Security'.
2018/03/27 09:24:59 ossec-agent: INFO: (1951): Analyzing event log: 'System'.
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: INFO: Agent is restarting due to shared configuration changes.
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not move (tmp/Security-a06816) to (bookmarks/Security) which returned (5)
2018/03/27 09:24:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06816) to (bookmarks/Security) for (Security)
2018/03/27 09:24:59 ossec-agent: INFO: (1950): Analyzing file: 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'.
2018/03/27 09:24:59 ossec-agent: INFO: Started (pid: 6216).
2018/03/27 09:24:59 ossec-agent: INFO: Received exit signal.
2018/03/27 09:24:59 ossec-agent: INFO: Exiting...
2018/03/27 09:24:59 ossec-agent: INFO: Using notify time: 10 and max time to reconnect: 60
2018/03/27 09:24:59 ossec-agent: INFO: Started (pid: 1524).
2018/03/27 09:24:59 ossec-agent: INFO: (1410): Reading authentication keys file.
2018/03/27 09:24:59 ossec-agent: INFO: Trying to connect to server (<hidden>:1514).
2018/03/27 09:25:00 ossec-agent: INFO: Starting syscheckd thread.
2018/03/27 09:25:00 rootcheck: INFO: Started (pid: 1524).
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]'.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/regedit.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/system.ini', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/win.ini', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/at.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/attrib.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/cacls.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/cmd.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/drivers/etc', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/eventcreate.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/ftp.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/lsass.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/net.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/net1.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/netsh.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/reg.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/regedt32.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/regsvr32.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/runas.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/sc.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/schtasks.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/sethc.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/subst.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/wbem/WMIC.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/WindowsPowerShell\v1.0\powershell.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/SysNative/winrm.vbs', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/at.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/attrib.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/cacls.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/cmd.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/drivers/etc', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/eventcreate.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/ftp.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/net.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/net1.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/netsh.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/reg.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regedit.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regedt32.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regsvr32.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/runas.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/sc.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/schtasks.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/sethc.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/subst.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/wbem/WMIC.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/WindowsPowerShell\v1.0\powershell.exe', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/winrm.vbs', with options perm | size | owner | group | md5sum | sha1sum | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Monitoring directory: 'C:\ProgramData/Microsoft/Windows/Start Menu/Programs/Startup', with options perm | size | owner | group | md5sum | sha1sum | realtime | mtime | inode.
2018/03/27 09:25:00 ossec-agent: INFO: Started (pid: 1524).
2018/03/27 09:25:00 ossec-agent: INFO: (4102): Connected to the server (<hidden>:1514).
2018/03/27 09:25:00 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2018/03/27 09:25:00 ossec-agent: INFO: System is Vista or newer (Microsoft Windows 7 Professional Service Pack 1 [Ver: 6.1.7601] - Wazuh v3.2.1).
2018/03/27 09:25:00 ossec-agent: INFO: (1951): Analyzing event log: 'Application'.
2018/03/27 09:25:00 ossec-agent: INFO: (1951): Analyzing event log: 'Security'.
2018/03/27 09:25:00 ossec-agent: INFO: (1951): Analyzing event log: 'System'.
2018/03/27 09:25:00 ossec-agent: INFO: (1950): Analyzing file: 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'.
2018/03/27 09:25:00 ossec-agent: INFO: Started (pid: 1524).
2018/03/27 09:25:01 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:01 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:01 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:01 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:01 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:01 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:05 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:05 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:15 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:15 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:27 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:27 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:27 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:27 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:29 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:30 ossec-agent: INFO: Syscheck scan frequency: 43200 seconds
2018/03/27 09:25:30 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:30 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:30 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:30 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:25:34 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:25:34 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:00 ossec-agent: INFO: Starting syscheck scan (forwarding database).
2018/03/27 09:26:00 ossec-agent: INFO: Starting syscheck database (pre-scan).
2018/03/27 09:26:02 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:02 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:08 ossec-agent: INFO: Initializing real time file monitoring engine.
2018/03/27 09:26:08 ossec-agent: INFO: Real time file monitoring engine started.
2018/03/27 09:26:08 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed).
2018/03/27 09:26:12 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:26:12 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:26:18 ossec-agent: INFO: Ending syscheck scan (forwarding database).
2018/03/27 09:27:02 ossec-agent: ERROR: Could not move (tmp/Security-a06248) to (bookmarks/Security) which returned (5)
2018/03/27 09:27:02 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06248) to (bookmarks/Security) for (Security)
2018/03/27 09:29:38 ossec-agent: ERROR: Could not move (tmp/Security-a09436) to (bookmarks/Security) which returned (5)
2018/03/27 09:29:38 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a09436) to (bookmarks/Security) for (Security)
2018/03/27 09:30:06 ossec-agent: ERROR: Could not move (tmp/Security-a09436) to (bookmarks/Security) which returned (5)
2018/03/27 09:30:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a09436) to (bookmarks/Security) for (Security)
2018/03/27 09:31:28 ossec-agent: ERROR: Could not move (tmp/Security-a09436) to (bookmarks/Security) which returned (5)
2018/03/27 09:31:28 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a09436) to (bookmarks/Security) for (Security)
2018/03/27 09:31:58 ossec-agent: ERROR: Could not move (tmp/Security-a09436) to (bookmarks/Security) which returned (5)
2018/03/27 09:31:58 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a09436) to (bookmarks/Security) for (Security)
2018/03/27 09:31:58 ossec-agent: ERROR: Could not move (tmp/Security-a09436) to (bookmarks/Security) which returned (5)
2018/03/27 09:31:58 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a09436) to (bookmarks/Security) for (Security)
2018/03/27 09:31:58 ossec-agent: ERROR: Could not move (tmp/Security-a09436) to (bookmarks/Security) which returned (5)
2018/03/27 09:31:58 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a09436) to (bookmarks/Security) for (Security)
2018/03/27 09:33:42 ossec-agent: ERROR: Could not move (tmp/Security-a09436) to (bookmarks/Security) which returned (5)
2018/03/27 09:33:42 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a09436) to (bookmarks/Security) for (Security)
//////////////////////////////////////////////////////////////////////////////////////////////////
However the output also says the agent installed successfully:
MSI (s) (1C:F8) [09:24:58:579]: Product: Wazuh Agent 3.2.1 -- Installation completed successfully.
MSI (s) (1C:F8) [09:24:58:579]: Windows Installer installed the product. Product Name: Wazuh Agent 3.2.1. Product Version: 3.2.1. Product Language: 1033. Manufacturer: Wazuh, Inc.. Installation success or error status: 0.
=== Logging stopped: 3/27/2018 9:24:58 ===
Robert H
Mar 28, 2018, 5:44:33 PM3/28/18
to Wazuh mailing list
**Update**
It appears that the McAfee Anti-Virus Threat Protection is causing the error. Even though the file/NTFS file system permissions are correct we were able to resolve the error when disabling/exempting the Anti-Virus software. We are working to create a enterprise exemption for it to have a global resolution.
It appears that the McAfee Anti-Virus Threat Protection is causing the error. Even though the file/NTFS file system permissions are correct we were able to resolve the error when disabling/exempting the Anti-Virus software. We are working to create a enterprise exemption for it to have a global resolution.
Regards,
Robert
Santiago Bassett
Mar 30, 2018, 12:28:49 PM3/30/18
to Robert H, Wazuh mailing list
Thanks Robert for the feedback, good to know.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2e1239af-8ba8-4a52-a092-edbb5d3b4ec4%40googlegroups.com.
Robert H
Apr 4, 2018, 5:57:02 PM4/4/18
to Wazuh mailing list
Santiago,
Could you tell me what/how the /tmp and /bookmarks directory are involved with the agent? Why it needs to write a file there and move it, for example? Does it affect log flow, or rootkit check, etc.?
Thanks,
Robert
Victor Fernandez
Jun 2, 2018, 6:31:18 AM6/2/18
to Robert H, Wazuh mailing list
Hi Robert and Santiago,
According to the Windows System error codes, the error code 5 means "Access denied". Indeed, this is due to a folder permission issue or that another application is blocking the operation.
The folders "tmp" and "bookmarks" must have full permissions for the user "SYSTEM", because the Wazuh Agent runs as a system service.
This issue affects the Windows Event Channel logs; they are enabled with settings like this:
<localfile> <location>Security</location> <log_format>eventchannel</log_format> <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447]</query> </localfile>
The folder "bookmarks" saves the EventChannel bookmarks, this is the position of the agent's reader in the log. This prevents the agent from reporting the entire Windows EventChannel log every time it's started. The agent periodically creates a bookmark file in the folder "tmp" and then moves it to the folder "bookmarks" and overwrites the previous position.
Hope it help.
Best regards,
Victor M Fernandez-Castro
IT Engineer — Wazuh, Inc.
IT Engineer — Wazuh, Inc.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4f3c1a10-178f-4be6-bfc0-812e51684355%40googlegroups.com.
Robert H
Jun 5, 2018, 4:59:34 PM6/5/18
to Wazuh mailing list
Thanks for the additional information Victor!
Regards,
Robert
Reply all
Reply to author
Forward
0 new messages