Dan, It's interesting that two others were able to use the agent.conf file I wrote without issues... however I did comment out the "D:\" line and it now passes verify-agent-conf... ?! Thanks!
So, are we to assume that OSSEC can not monitor entire drives? -Glenn On Jul 13, 6:00 am, "dan (ddp)" <[email protected]> wrote: > Did you try what I suggested? I'd be interested to know if it works. > > > > On Wed, Jul 13, 2011 at 4:35 AM, brighamr <[email protected]> wrote: > > Hello Andy, > > > I did exactly as you described and still received the same error > > "Error reading XML file '/var/ossec/etc/shared/agent.conf' : XML ERR: > > element not closed: directories (line 275). > > > My file size was 19299 for the new file which indicates all of the new > > line chars and astericks have been removed. The permissions are as > > they should be. > > > I'm stumped! Is there any way my verify-agent-conf script could have > > gotten corrupted? What other troubleshooting steps can I perform? > > > Thanks! > > > On Jul 12, 7:49 pm, "Andy Cockroft \(andic\)" <[email protected]> > > wrote: > >> Hi Glenn > > >> The file attached earlier works fine for me as well, so I would begin to > >> look for "white noise" characters - unprintable but may upset your verify > > >> By way of explanation, what I did was download the file you uploaded on > >> 12th at 5:58am (your time) via Microsoft Outlook > > >> I opened the file in notepad (which implies that you actually do have > >> line-feed characters in that version of the file - but no worries) > > >> What I did then is select all and copy to clipboard - then in a Console (I > >> use Putty), I created a new agent.conf using nano - and pasted all the > >> data into it. Saved and exited > > >> Then ran ./verify-agent-conf successfully > > >> Works for me on almost brand-new release from dcid-ossec-hids-d465e7d19b05 > > >> Andy > > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] On > >> Behalf Of brighamr > >> Sent: Wednesday, 13 July 2011 10:33 a.m. > >> To: ossec-list > >> Subject: [ossec-list] Re: file attached - agent.conf > > >> v 2.5.1. everything else has worked flawlessly except this file wont pass > >> verify-agent-conf, and due to this it wont work correctly on the agents. > >> I'm at a loss, but absolutely appreciate everyone's help! > > >> On Jul 12, 12:49 pm, Christopher Moraes <[email protected]> wrote: > >> > Glenn, which version of OSSEC are you using? > > >> > On Tue, Jul 12, 2011 at 12:24 PM, brighamr <[email protected]> > >> > wrote: > >> > > Chris, > > >> > > Thannk you. I copied this file onto the server and attempted to > >> > > verify. I am still getting an element not closed error. Is there > >> > > anything that would make verify-agent-conf not work correctly? > > >> > > -Glenn > > >> > > On Jul 12, 7:02 am, Christopher Moraes <[email protected]> wrote: > >> > > > Hi Glen, > > >> > > > I've attached the modified agent.conf. > > >> > > > Regards, > >> > > > Chris > > >> > > > On Mon, Jul 11, 2011 at 5:52 PM, brighamr > >> > > > <[email protected]> > >> > > wrote: > >> > > > > Chris, > > >> > > > > I removed all of the astericks from the file (they were appended > >> > > > > to the end of the individual registry key elements). Did you > >> > > > > remove anything that wasn't in the registry keys section? > > >> > > > > For some reason, it still gives me the same error - even after > >> > > > > removing the astricks. > > >> > > > > Any chance you would upload your file that passes? I'll try > >> > > > > testing that instead of guess/checking :-) > > >> > > > > I sincerely appreciate your help! > > >> > > > > Glenn > > >> > > > > On Jul 11, 1:18 pm, Christopher Moraes <[email protected]> > >> > > > > wrote: > >> > > > > > I removed the "*" characters from the file and it now passes > >> > > > > > verify-agent-control. > > >> > > > > > On Mon, Jul 11, 2011 at 1:57 PM, Glenn B Roberts < > >> > > > > [email protected]>wrote: > > >> > > > > > > Chris, > > >> > > > > > > Thank you for your response. My file doesn't contain newline > >> > > > > > > chars > >> > > and > >> > > > > it's > >> > > > > > > still giving me an error. Can you please take a look at the > >> > > attached? > > >> > > > > > > Thanks! > >> > > > > > > Glenn- Hide quoted text - > > >> > > > > > - Show quoted text - > > >> > > > agent.conf > >> > > > 25KViewDownload- Hide quoted text - > > >> > > > - Show quoted text -- Hide quoted text - > > >> > - Show quoted text -- Hide quoted text - > > >> - Show quoted text -- Hide quoted text - > > - Show quoted text -
