Daniel: Still the same behavior - the ossec.conf is inline just below my .sig...
Thanks,
--
Ed Vazquez
Make sure comments and code agree.
29 May 2007 14:42:20
<!-- Agent Example Configuration -->
<!-- First, change the server-ip to the IP of your OSSEC HIDS
server. -->
<!-- Second, add any extra file that you may want to monitor. -->
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>172.16.17.205</server-ip>
</client>
<!-- One entry for each file to monitor -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
</ossec_config>
<!-- Default syscheck config -->
<ossec_config>
<syscheck>
<frequency>43200</frequency>
<directories check_all="yes">D:\WINDOWS</directories>
</syscheck>
</ossec_config>
<!-- Updated syscheck config -->
<ossec_config>
<syscheck>
<frequency>43200</frequency>
<ignore>D:\WINDOWS/System32/LogFiles</ignore>
<ignore>D:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>D:\WINDOWS/Prefetch</ignore>
<ignore>D:\WINDOWS/Debug</ignore>
<ignore>D:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>D:\WINDOWS/SoftwareDistribution</ignore>
<ignore>D:\WINDOWS/Temp</ignore>
<ignore>D:\WINDOWS/SchedLgU.Txt</ignore>
<ignore>D:\WINDOWS/system32/config</ignore>
<ignore>D:\WINDOWS/system32/CatRoot</ignore>
<ignore>D:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>D:\WINDOWS/LastGood.Tmp</ignore>
<ignore>D:\WINDOWS/LastGood</ignore>
<ignore>D:\WINDOWS/Help</ignore>
<ignore>D:\WINDOWS/Fonts</ignore>
<ignore>D:\WINDOWS/PCHEALTH</ignore>
<ignore>D:\WINDOWS/system32/dllcache</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$</ignore>
</syscheck>
</ossec_config>
<!-- Syscheck registry config -->
<ossec_config>
<syscheck>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
</syscheck>
</ossec_config>
<!-- Syscheck registry ignored entries (too big or change too
often) -->
<ossec_config>
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\PchSvc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\COM3</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Prefetcher</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</ossec_config>
> -----Original Message-----
> From: Daniel Cid [mailto:[EMAIL PROTECTED]
> Sent: Sunday, May 27, 2007 13:30
> To: Vazquez, Ed
> Subject: Re: [ossec-list] Behavior of MS Windows "Agent"
>
> Hi Ed,
>
> Can you show me your ossec.conf (on the agent)? I see that your
> Windows
> install is at "D:", but I don't think that it would cause these
> issues.... I am
> still puzzled .
>
> Daniel
>
[snip]
smime.p7s
Description: S/MIME cryptographic signature
