Please post your entire agent.conf You should also consider updating to 2.5.1. 2.3 is very old at this point.
On Wed, Oct 20, 2010 at 12:49 AM, Mike Sievers <[email protected]> wrote: > good morning > > I will try this what you wrote me (sregex) > > This also do not work: > > <agent_config> > <syscheck> > > <directories check_all="yes">/boot</directories> > > </syscheck> > </agent_config> > > The agent log says: > > 010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/etc'. > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/usr'. > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/bin'. > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/opt'. > 2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/messages'. > 2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file: > '/var/log/warn'. > 2010/10/19 15:28:24 ossec-logcollector: INFO: Started (pid: 24510). > > but no /boot > > Mike > > 2010/10/19 dan (ddp) <[email protected]> >> >> On Tue, Oct 19, 2010 at 10:03 AM, Mike Sievers >> <[email protected]> wrote: >> > hi dan (and lis) >> > yes, the agent conf was copied and I restartet all >> > >> > but there is something different now: >> > >> > (agent.conf) >> > >> > <agent_config name='n001'> >> > <syscheck> >> > <ignore>/etc/ppp/chap-secrets</ignore> <<<<<<< file is not >> > ignored >> > <directories check_all="yes">/lib</directories> <<<<<< this works >> > </syscheck> >> > </agent_config> >> > >> > maybe the syntax is simply wrong? >> > >> > Mike >> > >> >> It looks right to me. You could try the following: >> <ignore type="sregex">^/etc/ppp/chap-secrets</ignore> >> >> But I don't think that will add anything. Which version of OSSEC are you >> using? >> >> > 2010/10/19 dan (ddp) <[email protected]> >> >> >> >> On Tue, Oct 19, 2010 at 9:38 AM, Mike Sievers >> >> <[email protected]> wrote: >> >> > Hi list >> >> > >> >> > I am using ossec with agents. But the don't use the: >> >> > /var/ossec/etc/shared/agent.conf file >> >> > >> >> > I really have no idea and no error log. >> >> > What can be happend? >> >> > What tests are possible? >> >> > agent_controls says: >> >> > >> >> > ID: 005, Name: n001, IP: 192.168.40.2, Active >> >> > >> >> > Best, >> >> > Mike >> >> > >> >> >> >> Is the agent.conf being copied to the agents? Did you restart the >> >> ossec processes on the agents? >> >> Double check your agent.conf for any typos, that's bitten me in the >> >> past. >> > >> > > >
