If you can attach your conf as a text file, I can have a look at it. The one you pasted below, changed the line numbers, so I can't find anything around line 284.
On Mon, Jul 11, 2011 at 11:18 AM, brighamr <[email protected]> wrote: > I got the agents working on my win2008r2 servers using a very basic > agent.conf. After that worked I created a much more specific > agent.conf and am getting an error from verify-agent-conf which states > "XML error, element not closed directories line 284". I have passed my > file by several engineers and none of us can find any element which is > not closed. Can you see any problems with this agent.conf which would > cause this error? > > <agent_config name="agent1|agent2"> > <syscheck> > <frequency>3600</frequency> > <disabled>no</disabled> > <directories check_all="yes">D:\examplecustomdir</directories> > > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</ > directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</ > directories> > <directories check_all="yes">%WINDIR%/System32/at.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/attrib.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/cacls.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/debug.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drwatson.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/edlin.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/ftp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/net.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/net1.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/netsh.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rcp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/reg.exe</ > directories> > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > <directories check_all="yes">%WINDIR%/System32/regedt32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rexec.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rsh.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/runas.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/sc.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/subst.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/telnet.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/tftp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drivers/etc</ > directories> > <directories check_all="yes">C:\Documents and Settings/All Users/ > Start Menu/Programs/Startup</directories> > <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ > ignore> > > > <!-- Windows registry entries to monitor. --> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes > \AllFilesystemObjects</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > Explorer</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Services</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\Session Manager\KnownDLLs</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\SecurePipeServers\winreg</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Run</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\RunOnce</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\RunOnceEx</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\URL</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Windows</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Winlogon</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > Setup\Installed Components</windows_registry> > > > > <!-- Windows registry entries to ignore. --> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</ > registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account > \Users</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\Lsa\crashonauditfail*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet > \Control\Terminal Server\fDenyTSConnections*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT > \CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies\System\EnableUIADesktopToggle*</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry> > <alert_new_files>yes</alert_new_files> > </syscheck> > </agent_config> > > <agent_config name="agent3|agent4"> > <syscheck> > <frequency>3600</frequency> > <disabled>no</disabled> > <directories check_all="yes">D:\customexampledir</directories> > > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</ > directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</ > directories> > <directories check_all="yes">%WINDIR%/System32/at.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/attrib.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/cacls.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/debug.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drwatson.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/edlin.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/ftp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/net.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/net1.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/netsh.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rcp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/reg.exe</ > directories> > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > <directories check_all="yes">%WINDIR%/System32/regedt32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rexec.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rsh.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/runas.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/sc.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/subst.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/telnet.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/tftp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drivers/etc</ > directories> > <directories check_all="yes">C:\Documents and Settings/All Users/ > Start Menu/Programs/Startup</directories> > <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ > ignore> > > > <!-- Windows registry entries to monitor. --> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes > \AllFilesystemObjects</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > Explorer</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Services</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\Session Manager\KnownDLLs</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\SecurePipeServers\winreg</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Run</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\RunOnce</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\RunOnceEx</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\URL</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Windows</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Winlogon</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > Setup\Installed Components</windows_registry> > > > > <!-- Windows registry entries to ignore. --> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</ > registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account > \Users</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\Lsa\crashonauditfail*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet > \Control\Terminal Server\fDenyTSConnections*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT > \CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies\System\EnableUIADesktopToggle*</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry> > <alert_new_files>yes</alert_new_files> > </syscheck> > </agent_config> > > > <agent_config name="agent5|agent6|agent7"> > <syscheck> > <frequency>3600</frequency> > <disabled>no</disabled> > <directories check_all="yes">D:\customexampledir</directories> > > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</ > directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</ > directories> > <directories check_all="yes">%WINDIR%/System32/at.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/attrib.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/cacls.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/debug.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drwatson.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/edlin.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/ftp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/net.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/net1.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/netsh.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rcp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/reg.exe</ > directories> > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > <directories check_all="yes">%WINDIR%/System32/regedt32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rexec.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/rsh.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/runas.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/sc.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/subst.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/telnet.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/tftp.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drivers/etc</ > directories> > <directories check_all="yes">C:\Documents and Settings/All Users/ > Start Menu/Programs/Startup</directories> > <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ > ignore> > > > <!-- Windows registry entries to monitor. --> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes > \AllFilesystemObjects</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > Explorer</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Services</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\Session Manager\KnownDLLs</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\SecurePipeServers\winreg</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Run</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\RunOnce</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\RunOnceEx</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\URL</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Windows</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Winlogon</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > Setup\Installed Components</windows_registry> > > > > <!-- Windows registry entries to ignore. --> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</ > registry_ignore> > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account > \Users</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet > \Control\Lsa\crashonauditfail*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet > \Control\Terminal Server\fDenyTSConnections*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT > \CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > \CurrentVersion\Policies\System\EnableUIADesktopToggle*</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT > \CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry> > <alert_new_files>yes</alert_new_files> > </syscheck> > </agent_config> > > >
