I'm trying to set up ossec agents on windows server 03/08/12. Would anybody have an example custom ossec.conf agent file they could share? I know that newer windows servers do not have all the files that are originally listed in the default ossec.conf , so i was wondering what others have started to monitor in place of them. Checking my agent log, this is what I'm getting with the default agent ossec.conf :
2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\boot.ini': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/CONFIG.NT': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/debug.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwatson.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwtsn32.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/edlin.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/eventtriggers.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rcp.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rexec.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rsh.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/telnet.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tftp.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tlntsvr.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows\System32\bcdedit.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed). An example of what I'm trying to do would be : <directories check_all="yes">C:\Windows\System32\bcdedit.exe</directories> boot.ini was replaced in windows vista+ with BCD so this would be something I'd like to check on. I tried to implement this into the conf file but I'm getting no luck getting it to work. Any suggestions are gladly taken. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
