Ditto Dan's comment on typos. I screwed up my conf in forgetting to put a close bracket on a directive and couldn't figure out what was wrong for the life of me. Fortunately, it was the very last line I added to agent.conf. After fixing it everything worked perfectly. So make sure all your directives are valid (and using valid input) and make sure there are no syntax errors. Double-check and the best way, really, is just to start off small.
In fact, I just reviewed your agent.conf that you listed and found something below (in red): <agent_config> <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) -- > <directories check_all="yes">/etc,/usr/bin, /usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <directories check_all="yes">/datalex</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> <ignore>/etc/dumpdates</ignore> <ignore>/etc/svc/volatile</ignore> <!-- Windows files to ignore --> <ignore>C:\WINDOWS/System32/LogFiles</ignore> <ignore>C:\WINDOWS/Debug</ignore> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> <ignore>C:\WINDOWS/iis6.log</ignore> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> <ignore>C:\WINDOWS/Prefetch</ignore> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> <ignore>C:\WINDOWS/SoftwareDistribution</ignore> <ignore>C:\WINDOWS/Temp</ignore> <ignore>C:\WINDOWS/system32/config</ignore> <ignore>C:\WINDOWS/system32/spool</ignore> <ignore>C:\WINDOWS/system32/CatRoot</ignore> </syscheck> *<agent_config>* That should be </agent_config> I believe :) Unless you inadvertently pasted that into your initial thread by accident and really do have the slash there in the conf. But let us know! --Jeremy On Wed, May 18, 2011 at 11:43 AM, Michael Altfield <[email protected]>wrote: > Hi Dan, > > Thanks for the quick reply. Glad to hear someone else got this > working! Unfortunately, I still can't get syscheckd to recognize its > settings in agent.conf. Is your config much different from my own? Any > chance you can post yours so I can compare? > > I've answered your questions below. Any other ideas? > > -Michael > > On May 18, 1:48 pm, "dan (ddp)" <[email protected]> wrote: > > Using the agent.conf for syscheck works for me on the agents (it does > > not work on the manager). > > Make sure the agent.conf has been transferred to the agents. > > agent.conf has been transferred to the agents (verified through the > hash from bin/manage_agents and by checking the Agent's etc/shared/ > agent.conf file contents) and I restarted the ossec agent's process > after checking this. > > > Make sure the permissions make it readable by the agents. > > [root@ossec-agent4 ossec]# ls -lah /var/ossec/etc/shared/agent.conf > -rw-r--r-- 1 ossec ossec 2.5K May 18 12:05 /var/ossec/etc/shared/ > agent.conf > > > Is the agent.conf below the entirety of your agent.conf? Did you > > copy/paste it from an ossec.conf? Simple typos can cause havoc in the > > agent.conf. > > What I pasted is the entire contents, yes. I created it by copy > +pasting from ossec.conf to eliminate fat-fingered mistakes. > > > > > > > > > > > > > > > > > On Wed, May 18, 2011 at 10:04 AM, Michael Altfield <[email protected]> > wrote: > > > Hi list, > > > > > Has anyone gotten syscheck to work when using the Centralized > > > Configuration file for defining <syscheck />? No matter what I tried, > > > I keep getting > > > > > > ================================================================================ > > > ... > > > ossec-syscheckd(1702): INFO: No directory provided for syscheck to > > > monitor. > > > ossec-syscheckd: WARN: Syscheck disabled. > > > ... > > > > ================================================================================ > > > > > messages when I restart ossec. > > > > > Here's my agent's etc/ossec.conf: > > > > ================================================================================ > > > <ossec_config> > > > <client> > > > <server-ip>10.0.0.1</server-ip> > > > </client> > > > </ossec_config> > > > > ================================================================================ > > > > > Here's my etc/shared/agent.conf: > > > > ================================================================================ > > > <agent_config> > > > <syscheck> > > > <!-- Frequency that syscheck is executed - default to every 22 > > > hours --> > > > <frequency>79200</frequency> > > > > > <!-- Directories to check (perform all possible verifications) -- > > > > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > > <directories check_all="yes">/bin,/sbin</directories> > > > <directories check_all="yes">/datalex</directories> > > > > > <!-- Files/directories to ignore --> > > > <ignore>/etc/mtab</ignore> > > > <ignore>/etc/mnttab</ignore> > > > <ignore>/etc/hosts.deny</ignore> > > > <ignore>/etc/mail/statistics</ignore> > > > <ignore>/etc/random-seed</ignore> > > > <ignore>/etc/adjtime</ignore> > > > <ignore>/etc/httpd/logs</ignore> > > > <ignore>/etc/utmpx</ignore> > > > <ignore>/etc/wtmpx</ignore> > > > <ignore>/etc/cups/certs</ignore> > > > <ignore>/etc/dumpdates</ignore> > > > <ignore>/etc/svc/volatile</ignore> > > > > > <!-- Windows files to ignore --> > > > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > > > <ignore>C:\WINDOWS/Debug</ignore> > > > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > > > <ignore>C:\WINDOWS/iis6.log</ignore> > > > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > > > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > > > <ignore>C:\WINDOWS/Prefetch</ignore> > > > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > > > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > > > <ignore>C:\WINDOWS/Temp</ignore> > > > <ignore>C:\WINDOWS/system32/config</ignore> > > > <ignore>C:\WINDOWS/system32/spool</ignore> > > > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > > > </syscheck> > > > <agent_config> > > > > ================================================================================ > > > > > TIA > > > -Michael >
