[ossec-list] Help needed with agent.conf

brighamr Mon, 11 Jul 2011 08:39:16 -0700

I got the agents working on my win2008r2 servers using a very basic
agent.conf. After that worked I created a much more specific
agent.conf and am getting an error from verify-agent-conf which states
"XML error, element not closed directories line 284". I have passed my
file by several engineers and none of us can find any element which is
not closed. Can you see any problems with this agent.conf which would
cause this error?


<agent_config name="agent1|agent2">
  <syscheck>
   <frequency>3600</frequency>
   <disabled>no</disabled>
   <directories check_all="yes">D:\examplecustomdir</directories>

    <!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes">C:\boot.ini</directories>
    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
    <directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
    <directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>


    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>


    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>



    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>

   <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
   <alert_new_files>yes</alert_new_files>
  </syscheck>
</agent_config>

<agent_config name="agent3|agent4">
  <syscheck>
   <frequency>3600</frequency>
   <disabled>no</disabled>
   <directories check_all="yes">D:\customexampledir</directories>

    <!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes">C:\boot.ini</directories>
    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
    <directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
    <directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>


    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>


    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>



    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>

   <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
   <alert_new_files>yes</alert_new_files>
  </syscheck>
</agent_config>


<agent_config name="agent5|agent6|agent7">
  <syscheck>
   <frequency>3600</frequency>
   <disabled>no</disabled>
   <directories check_all="yes">D:\customexampledir</directories>

    <!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes">C:\boot.ini</directories>
    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
    <directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
    <directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
    <directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>


    <!-- Windows registry entries to monitor. -->
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>


    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>



    <!-- Windows registry entries to ignore. -->
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>

   <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
   <alert_new_files>yes</alert_new_files>
  </syscheck>
</agent_config>

[ossec-list] Help needed with agent.conf

Reply via email to