Yes I do, thank you for your reply. I attached the ossec.conf file. I'm also
trying to understand why my 550 local_rule is not running. Thanks again
<!-- OSSEC Win32 Agent Configuration.
- This file is compost of 3 main sections:
- - Client config - Settings to connect to the OSSEC server.
- - Localfile - Files/Event logs to monitor.
- - syscheck - System file/Registry entries to monitor.
-->
<!-- READ ME FIRST. If you are configuring OSSEC for the first time,
- try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/temp/</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories
check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes">C:\Documents and Settings/All Users/Start
Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-ip>172.27.1.12</server-ip>
</client>
</ossec_config>
>>> "dan (ddp)" <[email protected]> 5/6/2010 5:50 PM >>>
Do you have agents configured for that server?
Can you provide your ossec.conf?
On Thu, May 6, 2010 at 9:54 AM, <[email protected]> wrote:
> Can anyone shed a little light on this error. Thank You
>
> ossec-remoted(1501): ERROR: No IP or network allowed in the access list for
> syslog. No reason for running it. Exiting
>
>
> Christian L. Kovac
> Sr Network Support Analyst
> Information Technology & Project Management
> Metro-North Railroad
> [email protected]
> 212-499-4642
>
> THINK GREEN q Do you really need to print this e-mail?
>
