[ossec-list] fix 'WARN: Syscheck disabled' when using Centralized Config agent.conf

Wed, 18 May 2011 08:21:23 -0700 

Hi list,

Has anyone gotten syscheck to work when using the Centralized
Configuration file for defining <syscheck />? No matter what I tried,
I keep getting

================================================================================
...
ossec-syscheckd(1702): INFO: No directory provided for syscheck to
monitor.
ossec-syscheckd: WARN: Syscheck disabled.
...
================================================================================

messages when I restart ossec.

Here's my agent's etc/ossec.conf:
================================================================================
<ossec_config>
  <client>
    <server-ip>10.0.0.1</server-ip>
  </client>
</ossec_config>
================================================================================

Here's my etc/shared/agent.conf:
================================================================================
<agent_config>
  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22
hours -->
    <frequency>79200</frequency>

    <!-- Directories to check  (perform all possible verifications) --
>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>
    <directories check_all="yes">/datalex</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  </syscheck>
<agent_config>
================================================================================

TIA
-Michael

Reply via email to