Hi Dan, my test config is very short
I have now changed <agent_config> to <agent_config os='Linux'> Now it works <agent_config os='Linux'> <syscheck> <directories check_all="yes">/boot</directories> <ignore>/etc/dhcpd.conf</ignore> <ignore>/var/log/mail.info</ignore> <ignore>/var/log/mail.warn</ignore> <ignore>/var/log/mail.err</ignore> <ignore>/etc/ppp/chap-secrets</ignore> </syscheck> </agent_config> well, I will look how to update. Should I start withe the server or the agents? Mike 2010/10/20 dan (ddp) <ddp...@gmail.com> > Please post your entire agent.conf > You should also consider updating to 2.5.1. 2.3 is very old at this point. > > On Wed, Oct 20, 2010 at 12:49 AM, Mike Sievers > <saturnge...@googlemail.com> wrote: > > good morning > > > > I will try this what you wrote me (sregex) > > > > This also do not work: > > > > <agent_config> > > <syscheck> > > > > <directories check_all="yes">/boot</directories> > > > > </syscheck> > > </agent_config> > > > > The agent log says: > > > > 010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/usr'. > > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/opt'. > > 2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/messages'. > > 2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file: > > '/var/log/warn'. > > 2010/10/19 15:28:24 ossec-logcollector: INFO: Started (pid: 24510). > > > > but no /boot > > > > Mike > > > > 2010/10/19 dan (ddp) <ddp...@gmail.com> > >> > >> On Tue, Oct 19, 2010 at 10:03 AM, Mike Sievers > >> <saturnge...@googlemail.com> wrote: > >> > hi dan (and lis) > >> > yes, the agent conf was copied and I restartet all > >> > > >> > but there is something different now: > >> > > >> > (agent.conf) > >> > > >> > <agent_config name='n001'> > >> > <syscheck> > >> > <ignore>/etc/ppp/chap-secrets</ignore> <<<<<<< file is not > >> > ignored > >> > <directories check_all="yes">/lib</directories> <<<<<< this > works > >> > </syscheck> > >> > </agent_config> > >> > > >> > maybe the syntax is simply wrong? > >> > > >> > Mike > >> > > >> > >> It looks right to me. You could try the following: > >> <ignore type="sregex">^/etc/ppp/chap-secrets</ignore> > >> > >> But I don't think that will add anything. Which version of OSSEC are you > >> using? > >> > >> > 2010/10/19 dan (ddp) <ddp...@gmail.com> > >> >> > >> >> On Tue, Oct 19, 2010 at 9:38 AM, Mike Sievers > >> >> <saturnge...@googlemail.com> wrote: > >> >> > Hi list > >> >> > > >> >> > I am using ossec with agents. But the don't use the: > >> >> > /var/ossec/etc/shared/agent.conf file > >> >> > > >> >> > I really have no idea and no error log. > >> >> > What can be happend? > >> >> > What tests are possible? > >> >> > agent_controls says: > >> >> > > >> >> > ID: 005, Name: n001, IP: 192.168.40.2, Active > >> >> > > >> >> > Best, > >> >> > Mike > >> >> > > >> >> > >> >> Is the agent.conf being copied to the agents? Did you restart the > >> >> ossec processes on the agents? > >> >> Double check your agent.conf for any typos, that's bitten me in the > >> >> past. > >> > > >> > > > > > >