If the OSSEC Agent is unexpectedly crashing, Windows can be configured to automatically generate a memory dump (.dmp) file whenever the crash occurs. This dump contains the state of the process at the exact moment of the failure and is an invaluable tool for troubleshooting.
When is this useful?
Enabling crash dumps is recommended when you experience issues such as:
- The ossec-agent service stops unexpectedly.
- The agent repeatedly crashes or restarts.
- Windows Event Viewer reports an application fault for
ossec-agent.exe. - The agent terminates without a clear error message in
ossec.log. - Support has requested additional diagnostic information to investigate a crash.
What information does a crash dump provide?
A crash dump captures information including:
- The call stack at the time of the crash.
- Loaded modules and libraries.
- Memory contents relevant to the process.
- Thread information.
- Exception details that caused the application to terminate.
This information allows support and development teams to determine exactly where and why the crash occurred, often identifying software defects, third-party interactions, or environmental issues that are not visible in standard log files.
What does the script do?
The PowerShell script:
- Creates a directory to store crash dumps (
C:\Dumps\OSSEC-Agent). - Configures Windows Error Reporting (WER) to generate crash dumps for
ossec-agent.exe. - Stores up to 10 dump files before older dumps are overwritten.
- Configures Windows to generate full process dumps, which provide the most complete diagnostic information.
Does enabling crash dumps affect normal operation?
No. The configuration has no impact during normal operation. A dump file is only created if ossec-agent.exe crashes.
The only noticeable impact is that a dump file may consume disk space after a crash. Full dump files are typically tens to hundreds of megabytes in size, depending on the memory usage of the OSSEC Agent at the time of the crash.
After a crash occurs
If the OSSEC Agent crashes after crash dumps have been enabled, a .dmp file will be created in:
C:\Dumps\OSSEC-Agent
The dump file, along with the ossec.log file and any relevant Windows Event Viewer Application logs, can then be provided to Atomicorp Support for analysis.
Enabling dmp Using Powershell
Make sure that you are able to run scripts, or you can temporarlily unblock them using the command below in Powershell
Set-ExecutionPolicy -Scope Process BypassNext, copy and save this script as a .ps1 using notepad
$ProcessName = "ossec-agent.exe" $DumpFolder = "C:\Dumps\OSSEC-Agent" $DumpCount = 10 $DumpType = 2 # 2 = full dump, 1 = mini dump # Create dump folder New-Item -ItemType Directory -Path $DumpFolder -Force | Out-Null # Allow Users/Services to write dumps icacls $DumpFolder /grant "Everyone:(OI)(CI)M" /T # Registry path for LocalDumps $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\$ProcessName" # Create registry key New-Item -Path $RegPath -Force | Out-Null # Configure dump settings New-ItemProperty -Path $RegPath -Name "DumpFolder" -Value $DumpFolder -PropertyType ExpandString -Force | Out-Null New-ItemProperty -Path $RegPath -Name "DumpCount" -Value $DumpCount -PropertyType DWord -Force | Out-Null New-ItemProperty -Path $RegPath -Name "DumpType" -Value $DumpType -PropertyType DWord -Force | Out-Null Write-Host "Crash dumps configured for $ProcessName" Write-Host "Dump folder: $DumpFolder" Write-Host "Dump type: Full dump"When saving, select "all files" and name "enable-dmp.ps1"
Once the script is saved, open Powershell and navigate to the directory where the .ps1 is saved and run:
.\enable-dmp.ps1You should see an output such as:
PS C:\Users\Admin\Downloads> .\enable-dmp.ps1 processed file: C:\Dumps\OSSEC-Agent Successfully processed 1 files; Failed processing 0 files Crash dumps configured for ossec-agent.exe Dump folder: C:\Dumps\OSSEC-Agent Dump type: Full dump
Please reach out to support@atomicorp.com with any questions.