Hi Dan and Joe, Thanks for your help. This is working now. Much appreciated.
George On Dec 8, 11:59 pm, "dan (ddp)" <[email protected]> wrote: > On Wed, Dec 8, 2010 at 10:36 AM, GeorgeY <[email protected]> wrote: > > Hi Dan, > > > Thanks for your response. > > Currently, this is the permission on the file. > > > -r--r----- 1 root other 6626 Dec 8 01:56 agent.conf > > > So changing this to -rwxr--r-- 1 root ossec should do the trick? > > > Thanks again. Appreciate your assistance. > > > Regards, > > George > > It looks like ossec processes cannot read your agent.conf, so of > course it can't be sent to the agents. Here are the exact permissions > mine has: > -r--r----- 1 root ossec 8638 Nov 18 13:35 agent.conf > > > > > On Dec 8, 10:15 pm, "dan (ddp)" <[email protected]> wrote: > >> On Wed, Dec 8, 2010 at 5:12 AM, GeorgeY <[email protected]> wrote: > >> > Hi Joe, > > >> > Thanks again for your response. Once I add an agent.conf to /shared, > >> > will I actually see this file on the client itself? I guess what I am > >> > trying to find out is if this file will actually be sent/pushed out to > >> > all "Windows" clients and a copy will be saved locally in their c: > >> > \Program Files\ossec-agent\shared? If the answer is Yes, I am not > >> > seeing this in my set up. > > >> Yes, the agent.conf is supposed to be sent to the agents. > >> Check the permissions of the agent.conf on the manager. > >> Mine is owned by root, but readable by the group ossec. > > >> > Also, whether or not the answer is Yes or No, that would mean I would > >> > need to MANUALLY clear the ossec.conf duplicated settings for all > >> > these hosts as well correct - since the default ossec.conf already > >> > contains the settings I want to put in agent.conf? Unless there is > >> > another trick i can use here :) > > >> You'd have to manually remove stuff from the ossec.conf. > > >> > What i currently have on the client ossec.conf is simply > > >> > <ossec_config> > > >> > <active-response> > >> > <disabled>yes</disabled> > >> > </active-response> > > >> > <client> > >> > <server-ip>192.168.1.1</server-ip> > >> > </client> > >> > </ossec_config> > > >> > and agent.conf is as per my previous post without the <client></ > >> > client> and <active-response></active-response> sections. > > >> > On Dec 7, 10:46 pm, Joe Gedeon <[email protected]> wrote: > >> >> George, > > >> >> Here is the shared agent config that I use for on the server for the > >> >> windows hosts. The ossec.conf on the agent is just about blank. It > >> >> has very minimal. Once I find my windows installer I can then send > >> >> you a copy of that. In your example of your shared agent.conf you had > >> >> the server set in there. The server must be set on the client. Also > >> >> active response must be enabled on the client and not in the shared > >> >> configuration. What you see in the shared agent can be removed from > >> >> the agents ossec.conf so that it doesn't over lap. > > >> >> cat etc/shared/agent.conf > >> >> <agent_config os="Windows"> > > >> >> <!-- One entry for each file/Event log to monitor. --> > >> >> <localfile> > >> >> <location>Application</location> > >> >> <log_format>eventlog</log_format> > >> >> </localfile> > > >> >> <localfile> > >> >> <location>Security</location> > >> >> <log_format>eventlog</log_format> > >> >> </localfile> > > >> >> <localfile> > >> >> <location>System</location> > >> >> <log_format>eventlog</log_format> > >> >> </localfile> > > >> >> <!-- Rootcheck - Policy monitor config --> > >> >> <rootcheck> > >> >> <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > >> >> <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > >> >> <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > >> >> </rootcheck> > > >> >> <!-- Syscheck - Integrity Checking config. --> > >> >> <syscheck> > > >> >> <!-- Default frequency, every 20 hours. It doesn't need to be higher > >> >> - on most systems and one a day should be enough. > >> >> --> > >> >> <frequency>72000</frequency> > > >> >> <!-- By default it is disabled. In the Install you must choose > >> >> - to enable it. > >> >> --> > >> >> <disabled>no</disabled> > > >> >> <!-- Default files to be monitored - system32 only. --> > >> >> <directories check_all="yes">%WINDIR%/win.ini</directories> > >> >> <directories check_all="yes">%WINDIR%/system.ini</directories> > >> >> <directories check_all="yes">C:\autoexec.bat</directories> > >> >> <directories check_all="yes">C:\config.sys</directories> > >> >> <directories check_all="yes">C:\boot.ini</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > >> >> <directories check_all="yes">%WINDIR%/System32/at.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/attrib.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/cacls.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/debug.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/drwatson.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/edlin.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> > >> >> <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories> > >> >> <directories check_all="yes">%WINDIR%/System32/net.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/net1.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/netsh.exe</directories> > >> >> <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories> > >> >> <directories check_all="yes">%WINDIR%/System32/reg.exe</directories> > >> >> <directories check_all="yes">%WINDIR%/regedit.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/regedt32.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/rexec.exe</directories> > >> >> <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/runas.exe</directories> > >> >> <directories check_all="yes">%WINDIR%/System32/sc.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/subst.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/telnet.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/tftp.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> > >> >> <directories > >> >> check_all="yes">%WINDIR%/System32/drivers/etc</directories> > >> >> <directories check_all="yes">C:\Documents and Settings/All > >> >> Users/Start Menu/Programs/Startup</directories> > >> >> <ignore > >> >> type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > >> >> <!-- Windows registry entries to monitor. --> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > >> >> Explorer</windows_registry> > > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > >> >> Manager\KnownDLLs</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > >> >> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > >> >> NT\CurrentVersion\Windows</windows_registry> > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > >> >> NT\CurrentVersion\Winlogon</windows_registry> > > >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > >> >> Setup\Installed Components</windows_registry> > > >> >> <!-- Windows registry entries to ignore. --> > >> >> > >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > >> >> > >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > >> >> <registry_ignore > > ... > > read more »
