Ossec agent crash on Windows 2016 server

viktor.n · Unread post by **viktor.n** » Mon Mar 10, 2025 2:26 pm

Dear Support Team,
Please, check and help resolve the issue with Ossec-agent (v. 3.8.0) on Windows Servers 2016 (1607, OS Build 14393.7785).
After the start of 'OSSEC HIDS' service – it stops unexpectedly (((
In Windows Application Eventlog we see an error EventID=1000 (Application error - see below)
Thanks in advance

=== Windows Application Eventlog Error
Faulting application name: ossec-agent.exe, version: 0.0.0.0, time stamp: 0x678d4bfe
Faulting module name: msvcrt.dll, version: 7.0.14393.7254, time stamp: 0x66ac72f7
Exception code: 0xc0000005
Fault offset: 0x0008945a
Faulting process id: 0x959c
Faulting application start time: 0x01db91e57827ce05
Faulting application path: C:\Program Files (x86)\ossec-agent\ossec-agent.exe
Faulting module path: C:\Windows\System32\msvcrt.dll
Report Id: 046e3145-7c15-47ba-8162-0a8202e837eb
Faulting package full name:
Faulting package-relative application ID:

=== ossec.conf (real IP - hidden)
<ossec_config>
<client>
<server-ip>XXX.XXX.XXX.XXX</server-ip>
</client>
<syscheck>
<disabled>no</disabled>
<alert_new_files>yes</alert_new_files>
<directories check_all="yes" restrict=".exe$|.dll$|.sys$">%WINDIR%\system32</directories>
<directories check_all="yes" restrict=".exe$|.dll$|.sys$">%windir%\SysWOW64</directories>
<directories check_all="yes" realtime="yes">%WINDIR%\System32\drivers\etc</directories>
<registry_ignore>HKEY_LOCAL_MACHINE</registry_ignore>
</syscheck>
</ossec_config>

=== ossec.log (Windows Debug = 2)
2025/03/10 19:54:28 ossec-agent: DEBUG: Reading agent configuration.
2025/03/10 19:54:28 ossec-agent: Using notify time: 600 and max time to reconnect: 1800
2025/03/10 19:54:28 ossec-agent: DEBUG: Reading logcollector configuration.
2025/03/10 19:54:28 WARN: Cannot open shared/agent.conf: XMLERR: File 'shared/agent.conf' not found.
2025/03/10 19:54:28 ossec-agent(1905): INFO: No file configured to monitor.
2025/03/10 19:54:28 ossec-execd(1350): INFO: Active response disabled. Exiting.
2025/03/10 19:54:28 ossec-agent(1410): INFO: Reading authentication keys file.
2025/03/10 19:54:28 ossec-agent: OS_StartCounter: keysize: 1
2025/03/10 19:54:28 ossec-agent: INFO: Assigning counter for agent psm1.ad.upc.intranet: '31420:3110'.
2025/03/10 19:54:28 ossec-agent: INFO: Assigning sender counter: 8638:7117
2025/03/10 19:54:28 ossec-agent: DEBUG: Stored counter.
2025/03/10 19:54:28 ossec-agentd: INFO: Trying to connect to server XXX.XXX.XXX.XXX, port 1514.
2025/03/10 19:54:28 INFO: Connected to XXX.XXX.XXX.XXX at address XXX.XXX.XXX.XXX:1514, port 1514
2025/03/10 19:54:28 ossec-agent: DEBUG: Creating thread mutex.
2025/03/10 19:54:28 ossec-agent: Starting syscheckd thread.
2025/03/10 19:54:28 ossec-syscheckd: DEBUG: Starting ...
2025/03/10 19:54:28 syscheckd: Reading Configuration [ossec.conf]
2025/03/10 19:54:28 syscheckd: Reading Client Configuration [ossec.conf]
2025/03/10 19:54:28 WARN: Cannot open shared/agent.conf: XMLERR: File 'shared/agent.conf' not found.
2025/03/10 19:54:28 rootcheck: DEBUG: Starting ...
2025/03/10 19:54:28 WARN: Cannot open shared/agent.conf: XMLERR: File 'shared/agent.conf' not found.
2025/03/10 19:54:28 ossec-rootcheck: INFO: Started (pid: 38300).
2025/03/10 19:54:28 ossec-syscheckd: INFO: Monitoring directory: 'C:\Windows\system32', with options perm | size | owner | group | md5sum | sha1sum.
2025/03/10 19:54:28 ossec-syscheckd: INFO: Monitoring directory: 'C:\Windows\SysWOW64', with options perm | size | owner | group | md5sum | sha1sum.
2025/03/10 19:54:28 ossec-syscheckd: INFO: Monitoring directory: 'C:\Windows\System32\drivers\etc', with options perm | size | owner | group | md5sum | sha1sum | realtime.
2025/03/10 19:54:28 ossec-syscheckd: INFO: Started (pid: 38300).
2025/03/10 19:54:29 ossec-agentd(4102): INFO: Connected to server XXX.XXX.XXX.XXX, port 1514.
2025/03/10 19:54:29 Cannot unlink /var/ossec.wait: No such file or directory
2025/03/10 19:54:29 ossec-agent: DEBUG: Sending keep alive message.
2025/03/10 19:54:29 ossec-agent: DEBUG: Sending keep alive: #!-Microsoft Windows Server 2012 Standard Edition (Build 9200) - OSSEC HIDS v3.8.0 b54e4255a287de4389657547ef0cc053 merged.mg
2025/03/10 19:54:29 ossec-agent: INFO: System is Vista or newer (Microsoft Windows Server 2012 Standard Edition (Build 9200) - OSSEC HIDS v3.8.0).
2025/03/10 19:54:29 ossec-logcollector: DEBUG: Entering LogCollectorStart().
2025/03/10 19:54:29 ossec-logcollector: INFO: Started (pid: 38300).