Strange problems with an agent

Francesco Mazzi

unread,

Aug 30, 2018, 3:49:04 AM8/30/18

to Wazuh mailing list

Hello, after agent and server upgrade to 3.5.0 I have problems with two agents on windows systems. I enabled whodata too, realtime is disabled.

On a server I see that in agent's shared folder there isn't agent.conf file, and so it doesn't get agent.conf configuration from server.

On the other server, I got frequent flooded messages

2018/08/30 09:12:29 ossec-agent: WARNING: Agent buffer at 90 %.

2018/08/30 09:12:30 ossec-agent: WARNING: Agent buffer is full: Events may be lost.

2018/08/30 09:12:34 ossec-agent: WARNING: Unknown message received. No action defined. Maybe restarted while receiving merged file?

2018/08/30 09:12:45 ossec-agent: WARNING: Agent buffer is flooded: Producing too many events.

Here agent.conf is present and it is loaded correctly, in the log I see folders to ignore, but I got many alerts related to file changes in these folders, how is it possible?

Here I monitor 18 folders, besides the default one,

Thanks.

Francesco Mazzi

unread,

Aug 30, 2018, 4:18:00 AM8/30/18

to Wazuh mailing list

Maybe I partially solved the second problem, due to owner change of these folders:

Integrity checksum changed for: 'xxx'

Ownership was ' (0)', now it is 'xxx'

Group ownership was ' (0)', now it is ' ()'

New sha256sum is : '9cda4826acadf70c028b541ea15a51341d8dc0e6040b9b87b168eafc66a379c0'

But the ownership change was made long time ago, how is it possible getting notifications now?

It remains the problem about ignored directories.

cris...@wazuh.com

unread,

Aug 30, 2018, 5:16:49 AM8/30/18

to Wazuh mailing list

Hi Francesco,

About the first issue, if you are using UDP to connect agent and server, it could be possible that the merged file is not being received since the UDP protocol has a short buffer. Try to connect them with the TCP protocol and tell us if there are anymore problems.

Your second issue seems to be a large number of events on the agent that can't be stored at the queue. At the ossec.conf file you can modify the queue_size attribute from the client_buffer field to a higher number, this could solve this problem you are having.

Can you copy your agent.conf file and your <directories> configuration at ossec.conf to find out what is happening with the ignored files?

Kind regards

Francesco Mazzi

unread,

Aug 30, 2018, 6:32:14 AM8/30/18

to Wazuh mailing list

Il giorno giovedì 30 agosto 2018 11:16:49 UTC+2, cris...@wazuh.com ha scritto:

Hi Francesco,

About the first issue, if you are using UDP to connect agent and server, it could be possible that the merged file is not being received since the UDP protocol has a short buffer. Try to connect them with the TCP protocol and tell us if there are anymore problems.

If I remember, I should change on server and on every client, I should make a lot of work and now it's not possible.

Your second issue seems to be a large number of events on the agent that can't be stored at the queue. At the ossec.conf file you can modify the queue_size attribute from the client_buffer field to a higher number, this could solve this problem you are having.

I increased it from 5000 to 10000, let's see.

Can you copy your agent.conf file and your <directories> configuration at ossec.conf to find out what is happening with the ignored files?

agent.conf:

<agent_config>

<alert_new_files>yes</alert_new_files>

<scan_on_start>no</scan_on_start>

</syscheck>

</agent_config>

<agent_config name="xxx">

<directories check_all="yes" whodata="yes">C:/Sito Web Lovingenova</directories>

<directories check_all="yes" whodata="yes">C:/Sito Web Lovingenova Nuovo</directories>

<ignore>C:/aaa/sites/default/files</ignore>

<ignore>C:/bbb/sites/default/files</ignore>

<ignore>C:/ccc/sites/default/files</ignore>

<ignore>C:/ddd/sites/default/files</ignore>

<ignore>C:/ddd/js/gmap_markers.js</ignore>

<ignore>C:/eee/sites/default/files</ignore>

<ignore>C:/fff/sites/default/files</ignore>

<ignore>C:/ggg/sites/default/files</ignore>

<ignore>C:/hhh/sites/default/files</ignore>

<ignore>C:/iii/sites/default/files</ignore>

<ignore>C:/jjj/sites/default/files</ignore>

<ignore>C:/kkk/sites/default/files</ignore>

<ignore>C:/lll/sites/default/files</ignore>

<ignore>C:/mmm/sites/default/files</ignore>

<ignore>C:/nnn/sites/default/files</ignore>

<ignore>C:/ooo/sites/default/files</ignore>

<ignore>C:/ppp/sites/default/files</ignore>

</syscheck>

</agent_config>

syscheck in ossec.conf (agent), I didn't changed it except for queue size:

<directories check_all="yes">%WINDIR%/regedit.exe</directories>

<directories check_all="yes">%WINDIR%/system.ini</directories>

<directories check_all="yes">%WINDIR%/win.ini</directories>

<directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>

<directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>

<directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>

<directories check_all="yes">%WINDIR%/System32/at.exe</directories>

<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>

<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>

<directories check_all="yes">%WINDIR%/System32/cmd.exe</directories>

<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>

<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>

<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>

<directories check_all="yes">%WINDIR%/System32/net.exe</directories>

<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>

<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>

<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>

<directories check_all="yes">%WINDIR%/System32/regedit.exe</directories>

<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>

<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>

<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>

<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>

<directories check_all="yes">%WINDIR%/System32/schtasks.exe</directories>

<directories check_all="yes">%WINDIR%/System32/sethc.exe</directories>

<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>

<directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>

<directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>

<directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>

<directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>

<registry_ignore type="sregex">\Enum$</registry_ignore>

</syscheck>

this is an example of notification:

Wazuh Notification.

2018 Aug 30 09:00:00

Received From: (vm-web23) 192.168.153.46->syscheck

Rule: 550 fired (level 7) -> "Integrity checksum changed."

Portion of the log(s):

Integrity checksum changed for: 'C:\iii\sites\default\files\js\gmap_markers.js'

(Audit) User: 'xxx'

(Audit) Process id: '2488'

(Audit) Process name: 'C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe'

--END OF NOTIFICATION

Thanks

cris...@wazuh.com

unread,

Aug 30, 2018, 7:30:36 AM8/30/18

to Wazuh mailing list

Hi Francesco,

The paths you are trying to monitorize and ignore in your configuration have the wrong slash ("/"), on Windows, the paths are written with a backslash ("\"). Try replacing them and let us know if that worked, as well as any question you may have.

Regards

Francesco Mazzi

unread,

Aug 30, 2018, 9:04:09 AM8/30/18

to Wazuh mailing list

Cristina, I changed slashes with backslashes, let's see if it works.

There is still the problem with pushing agent configuration to client, what else should I try (besides changing UDP to TCP) in order to debug the problem?

Thanks

cris...@wazuh.com

unread,

Aug 31, 2018, 2:01:58 AM8/31/18

to Wazuh mailing list

Hi Francesco,

The only solution for this problem is using TCP, as I said before, UDP doesn't allow to pass such a big file like the merged file, which contains the configuration of the agent, since its queue is very short. Sorry for the inconvenience, but it is the only method to solve this issue.

Regards

Francesco Mazzi

unread,

Aug 31, 2018, 4:11:02 AM8/31/18

to Wazuh mailing list

I have problem of ignored directory again, but now on a linux server.

<agent_config name="cloudlinux3">

<directories check_all="yes" whodata="yes">/usr/share/phpMyAdmin</directories>

<ignore>/var/www/genovatransformation/sites/default/files</ignore>

<ignore>/etc/webmin/system-status</ignore>

<ignore>/etc/webmin/package-updates</ignore>

<ignore>/var/www/fereggiano/plugins/system/zo2/framework/assets/zo2</ignore>

<ignore>/var/www/fereggiano/templates/zo2_hallo/assets/zo2</ignore>

<ignore>/var/www/fereggiano/images/imgarticoli</ignore>

</syscheck>

</agent_config>

I got:

Wazuh Notification.
2018 Aug 31 10:01:33

Received From: (cloudlinux3) 192.168.111.3->syscheck

Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

Integrity checksum changed for: '/etc/webmin/package-updates/updates.cache'
Old md5sum was: '5ced2c03bec61dc2b70109c6aec3a31c'
New md5sum is : '72aee086291c705f2d2ec5a47b276e2e'
Old sha1sum was: 'd39dce1c13b93678eafb29c96a3a213bde6a1b92'
New sha1sum is : '27ad3f5668e5cc29763ade77f9126bfa91768bb4'
New sha256sum is : 'b1b0da80ec617d118854f697995f2335eebb3bd32eec6cd9ab3a1241c19e9a6f'

I don't know why, but it began after upgrade.

I think I'll do upgrade to to 3.6.0, use TCP and I hope solve these problems.

Thanks

Francesco Mazzi

unread,

Aug 31, 2018, 7:12:55 AM8/31/18

to Wazuh mailing list

Ok I upgraded manager and agents, I think I solved problem about pushing centralized configuration, I think it was a corrupted installation of the agent, I got some errors during upgrade but I solved.

Thank you

cris...@wazuh.com

unread,

Sep 3, 2018, 2:57:22 AM9/3/18

to Wazuh mailing list

Great! Don't hesitate to ask us if you have anymore problems.

Best regards

Reply all

Reply to author

Forward