wazuh agent ERRO logs

[Jacky Qin]

Hi,

There are many error logs in the ossec.log file of the windows agent under my wazuh manager. According to the types, there are mainly two types.

One.

2020/03/26 00:00:11 ossec-agent: INFO: Starting new log after rotation.

2020/03/26 00:00:15 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:15 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:15 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:15 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:15 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:15 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:26 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:26 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:26 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:26 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:26 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:26 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:35 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:35 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:35 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:35 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:35 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:35 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:38 ossec-agent: ERROR: Could not get message for (System), provider (VirtioSerial)

2020/03/26 00:00:38 ossec-agent: ERROR: Could not get message for (System), provider (VirtioSerial)

2020/03/26 00:00:45 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:45 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:45 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:45 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:45 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:45 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:55 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:55 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:55 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:55 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:00:55 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:00:55 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:05 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:05 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:06 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:06 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:06 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:06 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:15 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:15 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:15 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:15 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:15 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:15 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:25 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:25 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:25 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:25 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:25 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:25 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:35 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:35 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

2020/03/26 00:01:35 ossec-agent: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (1) which returned (1813)

2020/03/26 00:01:35 ossec-agent: ERROR: Could not get message for (System), provider (BALLOON)

........

Two.

2020/03/26 00:00:24 ossec-agent: ERROR: Could not move (tmp/Security-a08732) to (bookmarks/Security) which returned (5)

2020/03/26 00:00:24 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a08732) to (bookmarks/Security) for (Security)

2020/03/26 00:05:03 ossec-agent: ERROR: Could not move (tmp/Security-a08448) to (bookmarks/Security) which returned (5)

2020/03/26 00:05:03 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a08448) to (bookmarks/Security) for (Security)

2020/03/26 00:05:07 ossec-agent: ERROR: Could not move (tmp/Security-a08448) to (bookmarks/Security) which returned (5)

2020/03/26 00:05:07 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a08448) to (bookmarks/Security) for (Security)

2020/03/26 00:07:06 ossec-agent: ERROR: Could not move (tmp/Security-a08448) to (bookmarks/Security) which returned (5)

2020/03/26 00:07:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a08448) to (bookmarks/Security) for (Security)

2020/03/26 00:07:06 ossec-agent: ERROR: Could not move (tmp/Security-a08448) to (bookmarks/Security) which returned (5)

2020/03/26 00:07:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a08448) to (bookmarks/Security) for (Security)

2020/03/26 00:08:59 ossec-agent: ERROR: Could not move (tmp/Security-a08448) to (bookmarks/Security) which returned (5)

2020/03/26 00:08:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a08448) to (bookmarks/Security) for (Security)

2020/03/26 00:09:05 ossec-agent: ERROR: Could not move (tmp/Security-a08448) to (bookmarks/Security) which returned (5)

2020/03/26 00:09:05 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a08448) to (bookmarks/Security) for (Security)

2020/03/26 00:09:58 ossec-agent: ERROR: Could not move (tmp/Security-a06240) to (bookmarks/Security) which returned (5)

2020/03/26 00:09:58 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06240) to (bookmarks/Security) for (Security)

2020/03/26 00:13:03 ossec-agent: ERROR: Could not move (tmp/Security-a04468) to (bookmarks/Security) which returned (5)

2020/03/26 00:13:03 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a04468) to (bookmarks/Security) for (Security)

2020/03/26 00:13:05 ossec-agent: ERROR: Could not move (tmp/Security-a06240) to (bookmarks/Security) which returned (5)

2020/03/26 00:13:05 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a06240) to (bookmarks/Security) for (Security)

2020/03/26 00:15:10 ossec-agent: ERROR: Could not move (tmp/Security-a03292) to (bookmarks/Security) which returned (5)

2020/03/26 00:15:10 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a03292) to (bookmarks/Security) for (Security)

2020/03/26 00:25:07 ossec-agent: ERROR: Could not move (tmp/Security-a07396) to (bookmarks/Security) which returned (5)

2020/03/26 00:25:07 2020/03/26 00:26:04 ossec-agent: ERROR: Could not move (tmp/Security-a07396) to (bookmarks/Security) which returned (5)

2020/03/26 00:26:04 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a07396) to (bookmarks/Security) for (Security)

2020/03/26 00:27:42 ossec-agent: ERROR: Could not move (tmp/Security-a05572) to (bookmarks/Security) which returned (5)

2020/03/26 00:27:42 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a05572) to (bookmarks/Security) for (Security)

2020/03/26 00:29:04 ossec-agent: ERROR: Could not move (tmp/Security-a05572) to (bookmarks/Security) which returned (5)

2020/03/26 00:29:04 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a05572) to (bookmarks/Security) for (Security)

2020/03/26 00:30:00 ossec-agent: ERROR: Could not move (tmp/Security-a07396) to (bookmarks/Security) which returned (5)

2020/03/26 00:30:00 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a07396) to (bookmarks/Security) for (Security)

2020/03/26 00:30:01 ossec-agent: ERROR: Could not move (tmp/Security-a07396) to (bookmarks/Security) which returned (5)

2020/03/26 00:30:01 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a07396) to (bookmarks/Security) for (Security)

2020/03/26 00:30:59 ossec-agent: ERROR: Could not move (tmp/Security-a05572) to (bookmarks/Security) which returned (5)

2020/03/26 00:30:59 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a05572) to (bookmarks/Security) for (Security)

2020/03/26 00:33:06 ossec-agent: ERROR: Could not move (tmp/Security-a04892) to (bookmarks/Security) which returned (5)

2020/03/26 00:33:06 ossec-agent: ERROR: Could not rename_ex() temporary bookmark (tmp/Security-a04892) to (bookmarks/Security) for (Security)

What are the causes of these two kinds of logs? What is the impact on wazuh? How to fix it? Thank you.

Best regards,

Jacky Qin

[José Manuel López del Río]

Hello Jacky,

 

According to the Windows error codes, the first error is due to a formatting error caused by not finding a specific resource type. This is generating conflicts and not allowing the Wazuh-agent to monitor the events coming from the Provider Balloon, under the default Security channel. 

Regarding your second error, it is due to a permissions issue with the folders tmp and bookmarks, it is translated as an "Access is denied" in the Windows error codes. It is needed to have full permissions for the user "SYSTEM" since the Wazuh-agent runs as a system service.

As mentioned in the following thread --> https://groups.google.com/forum/#!topic/wazuh/BWhMeHiDIWk.

The folder "bookmarks" saves the EventChannel bookmarks, this is the position of the agent's reader in the log. This prevents the agent from reporting the entire Windows EventChannel log every time it's started. The agent periodically creates a bookmark file in the folder "tmp" and then moves it to the folder "bookmarks" and overwrites the previous position.

I hope that helps.

Regards.

[Jacky Qin]

Hi José Manuel López del Río,

Although still confused, I can understand that there is no big impact and it can be ignored.

Best regards,

Jacky Qin
在 2020年3月31日星期二 UTC+8上午1:54:09，José Manuel López del Río写道：