Using the agent.conf for syscheck works for me on the agents (it does not work on the manager). Make sure the agent.conf has been transferred to the agents. Make sure the permissions make it readable by the agents. Is the agent.conf below the entirety of your agent.conf? Did you copy/paste it from an ossec.conf? Simple typos can cause havoc in the agent.conf.
On Wed, May 18, 2011 at 10:04 AM, Michael Altfield <[email protected]> wrote: > Hi list, > > Has anyone gotten syscheck to work when using the Centralized > Configuration file for defining <syscheck />? No matter what I tried, > I keep getting > > ================================================================================ > ... > ossec-syscheckd(1702): INFO: No directory provided for syscheck to > monitor. > ossec-syscheckd: WARN: Syscheck disabled. > ... > ================================================================================ > > messages when I restart ossec. > > Here's my agent's etc/ossec.conf: > ================================================================================ > <ossec_config> > <client> > <server-ip>10.0.0.1</server-ip> > </client> > </ossec_config> > ================================================================================ > > Here's my etc/shared/agent.conf: > ================================================================================ > <agent_config> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 > hours --> > <frequency>79200</frequency> > > <!-- Directories to check (perform all possible verifications) -- >> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > <directories check_all="yes">/datalex</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > > <!-- Windows files to ignore --> > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > <ignore>C:\WINDOWS/Debug</ignore> > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > <ignore>C:\WINDOWS/iis6.log</ignore> > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > <ignore>C:\WINDOWS/Prefetch</ignore> > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > <ignore>C:\WINDOWS/Temp</ignore> > <ignore>C:\WINDOWS/system32/config</ignore> > <ignore>C:\WINDOWS/system32/spool</ignore> > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > </syscheck> > <agent_config> > ================================================================================ > > TIA > -Michael
