Hi Dan, Thanks for the quick reply. Glad to hear someone else got this working! Unfortunately, I still can't get syscheckd to recognize its settings in agent.conf. Is your config much different from my own? Any chance you can post yours so I can compare?
I've answered your questions below. Any other ideas? -Michael On May 18, 1:48 pm, "dan (ddp)" <[email protected]> wrote: > Using the agent.conf for syscheck works for me on the agents (it does > not work on the manager). > Make sure the agent.conf has been transferred to the agents. agent.conf has been transferred to the agents (verified through the hash from bin/manage_agents and by checking the Agent's etc/shared/ agent.conf file contents) and I restarted the ossec agent's process after checking this. > Make sure the permissions make it readable by the agents. [root@ossec-agent4 ossec]# ls -lah /var/ossec/etc/shared/agent.conf -rw-r--r-- 1 ossec ossec 2.5K May 18 12:05 /var/ossec/etc/shared/ agent.conf > Is the agent.conf below the entirety of your agent.conf? Did you > copy/paste it from an ossec.conf? Simple typos can cause havoc in the > agent.conf. What I pasted is the entire contents, yes. I created it by copy +pasting from ossec.conf to eliminate fat-fingered mistakes. > > > > > > > > On Wed, May 18, 2011 at 10:04 AM, Michael Altfield <[email protected]> > wrote: > > Hi list, > > > Has anyone gotten syscheck to work when using the Centralized > > Configuration file for defining <syscheck />? No matter what I tried, > > I keep getting > > > ================================================================================ > > ... > > ossec-syscheckd(1702): INFO: No directory provided for syscheck to > > monitor. > > ossec-syscheckd: WARN: Syscheck disabled. > > ... > > ================================================================================ > > > messages when I restart ossec. > > > Here's my agent's etc/ossec.conf: > > ================================================================================ > > <ossec_config> > > <client> > > <server-ip>10.0.0.1</server-ip> > > </client> > > </ossec_config> > > ================================================================================ > > > Here's my etc/shared/agent.conf: > > ================================================================================ > > <agent_config> > > <syscheck> > > <!-- Frequency that syscheck is executed - default to every 22 > > hours --> > > <frequency>79200</frequency> > > > <!-- Directories to check (perform all possible verifications) -- > > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > <directories check_all="yes">/datalex</directories> > > > <!-- Files/directories to ignore --> > > <ignore>/etc/mtab</ignore> > > <ignore>/etc/mnttab</ignore> > > <ignore>/etc/hosts.deny</ignore> > > <ignore>/etc/mail/statistics</ignore> > > <ignore>/etc/random-seed</ignore> > > <ignore>/etc/adjtime</ignore> > > <ignore>/etc/httpd/logs</ignore> > > <ignore>/etc/utmpx</ignore> > > <ignore>/etc/wtmpx</ignore> > > <ignore>/etc/cups/certs</ignore> > > <ignore>/etc/dumpdates</ignore> > > <ignore>/etc/svc/volatile</ignore> > > > <!-- Windows files to ignore --> > > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > > <ignore>C:\WINDOWS/Debug</ignore> > > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > > <ignore>C:\WINDOWS/iis6.log</ignore> > > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > > <ignore>C:\WINDOWS/Prefetch</ignore> > > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > > <ignore>C:\WINDOWS/Temp</ignore> > > <ignore>C:\WINDOWS/system32/config</ignore> > > <ignore>C:\WINDOWS/system32/spool</ignore> > > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > > </syscheck> > > <agent_config> > > ================================================================================ > > > TIA > > -Michael
