Hello Andy, I did exactly as you described and still received the same error "Error reading XML file '/var/ossec/etc/shared/agent.conf' : XML ERR: element not closed: directories (line 275).
My file size was 19299 for the new file which indicates all of the new line chars and astericks have been removed. The permissions are as they should be. I'm stumped! Is there any way my verify-agent-conf script could have gotten corrupted? What other troubleshooting steps can I perform? Thanks! On Jul 12, 7:49 pm, "Andy Cockroft \(andic\)" <[email protected]> wrote: > Hi Glenn > > The file attached earlier works fine for me as well, so I would begin to look > for "white noise" characters - unprintable but may upset your verify > > By way of explanation, what I did was download the file you uploaded on 12th > at 5:58am (your time) via Microsoft Outlook > > I opened the file in notepad (which implies that you actually do have > line-feed characters in that version of the file - but no worries) > > What I did then is select all and copy to clipboard - then in a Console (I > use Putty), I created a new agent.conf using nano - and pasted all the data > into it. Saved and exited > > Then ran ./verify-agent-conf successfully > > Works for me on almost brand-new release from dcid-ossec-hids-d465e7d19b05 > > Andy > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of brighamr > Sent: Wednesday, 13 July 2011 10:33 a.m. > To: ossec-list > Subject: [ossec-list] Re: file attached - agent.conf > > v 2.5.1. everything else has worked flawlessly except this file wont pass > verify-agent-conf, and due to this it wont work correctly on the agents. I'm > at a loss, but absolutely appreciate everyone's help! > > On Jul 12, 12:49 pm, Christopher Moraes <[email protected]> wrote: > > Glenn, which version of OSSEC are you using? > > > On Tue, Jul 12, 2011 at 12:24 PM, brighamr <[email protected]> wrote: > > > Chris, > > > > Thannk you. I copied this file onto the server and attempted to > > > verify. I am still getting an element not closed error. Is there > > > anything that would make verify-agent-conf not work correctly? > > > > -Glenn > > > > On Jul 12, 7:02 am, Christopher Moraes <[email protected]> wrote: > > > > Hi Glen, > > > > > I've attached the modified agent.conf. > > > > > Regards, > > > > Chris > > > > > On Mon, Jul 11, 2011 at 5:52 PM, brighamr > > > > <[email protected]> > > > wrote: > > > > > Chris, > > > > > > I removed all of the astericks from the file (they were appended > > > > > to the end of the individual registry key elements). Did you > > > > > remove anything that wasn't in the registry keys section? > > > > > > For some reason, it still gives me the same error - even after > > > > > removing the astricks. > > > > > > Any chance you would upload your file that passes? I'll try > > > > > testing that instead of guess/checking :-) > > > > > > I sincerely appreciate your help! > > > > > > Glenn > > > > > > On Jul 11, 1:18 pm, Christopher Moraes <[email protected]> wrote: > > > > > > I removed the "*" characters from the file and it now passes > > > > > > verify-agent-control. > > > > > > > On Mon, Jul 11, 2011 at 1:57 PM, Glenn B Roberts < > > > > > [email protected]>wrote: > > > > > > > > Chris, > > > > > > > > Thank you for your response. My file doesn't contain newline > > > > > > > chars > > > and > > > > > it's > > > > > > > still giving me an error. Can you please take a look at the > > > attached? > > > > > > > > Thanks! > > > > > > > Glenn- Hide quoted text - > > > > > > > - Show quoted text - > > > > > agent.conf > > > > 25KViewDownload- Hide quoted text - > > > > > - Show quoted text -- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -
