Maybe creating a link will work. I mean create a link (using mklink or linkd) as c:\entireDdrive --linked to--> D:\
and try to monitor c:\entireDdrive. I haven't tried this, so I'm not sure it'll work. On Wed, Jul 13, 2011 at 3:01 PM, brighamr <[email protected]> wrote: > Dan, > > I tried D:\\, D:\, and both fail. If I do specific directories D: > \exampledir it passes. For now, I've got agent.conf working again and > have requested a specific list of directories from my client, I > sincerely appreciate your help and support. > > If someone finds a way to monitor an entire drive in version 2.5.1, > that would be awesome. But for now at least I have a work-around. > > Thanks again! > > On Jul 13, 12:14 pm, "dan (ddp)" <[email protected]> wrote: > > I wouldn't assume anything. I'd try a few things to make it work. Like > > my suggestion. Or "D:\\." if "D:\." didn't produce the results I > > wanted. > > > > > > > > On Wed, Jul 13, 2011 at 2:06 PM, brighamr <[email protected]> > wrote: > > > Dan, > > > > > It's interesting that two others were able to use the agent.conf file > > > I wrote without issues... however I did comment out the "D:\" line and > > > it now passes verify-agent-conf... ?! Thanks! > > > > > So, are we to assume that OSSEC can not monitor entire drives? > > > > > -Glenn > > > > > On Jul 13, 6:00 am, "dan (ddp)" <[email protected]> wrote: > > >> Did you try what I suggested? I'd be interested to know if it works. > > > > >> On Wed, Jul 13, 2011 at 4:35 AM, brighamr <[email protected]> > wrote: > > >> > Hello Andy, > > > > >> > I did exactly as you described and still received the same error > > >> > "Error reading XML file '/var/ossec/etc/shared/agent.conf' : XML > ERR: > > >> > element not closed: directories (line 275). > > > > >> > My file size was 19299 for the new file which indicates all of the > new > > >> > line chars and astericks have been removed. The permissions are as > > >> > they should be. > > > > >> > I'm stumped! Is there any way my verify-agent-conf script could have > > >> > gotten corrupted? What other troubleshooting steps can I perform? > > > > >> > Thanks! > > > > >> > On Jul 12, 7:49 pm, "Andy Cockroft \(andic\)" <[email protected]> > > >> > wrote: > > >> >> Hi Glenn > > > > >> >> The file attached earlier works fine for me as well, so I would > begin to look for "white noise" characters - unprintable but may upset your > verify > > > > >> >> By way of explanation, what I did was download the file you > uploaded on 12th at 5:58am (your time) via Microsoft Outlook > > > > >> >> I opened the file in notepad (which implies that you actually do > have line-feed characters in that version of the file - but no worries) > > > > >> >> What I did then is select all and copy to clipboard - then in a > Console (I use Putty), I created a new agent.conf using nano - and pasted > all the data into it. Saved and exited > > > > >> >> Then ran ./verify-agent-conf successfully > > > > >> >> Works for me on almost brand-new release from > dcid-ossec-hids-d465e7d19b05 > > > > >> >> Andy > > > > >> >> -----Original Message----- > > >> >> From: [email protected] [mailto: > [email protected]] On Behalf Of brighamr > > >> >> Sent: Wednesday, 13 July 2011 10:33 a.m. > > >> >> To: ossec-list > > >> >> Subject: [ossec-list] Re: file attached - agent.conf > > > > >> >> v 2.5.1. everything else has worked flawlessly except this file > wont pass verify-agent-conf, and due to this it wont work correctly on the > agents. I'm at a loss, but absolutely appreciate everyone's help! > > > > >> >> On Jul 12, 12:49 pm, Christopher Moraes <[email protected]> > wrote: > > >> >> > Glenn, which version of OSSEC are you using? > > > > >> >> > On Tue, Jul 12, 2011 at 12:24 PM, brighamr < > [email protected]> wrote: > > >> >> > > Chris, > > > > >> >> > > Thannk you. I copied this file onto the server and attempted to > > >> >> > > verify. I am still getting an element not closed error. Is > there > > >> >> > > anything that would make verify-agent-conf not work correctly? > > > > >> >> > > -Glenn > > > > >> >> > > On Jul 12, 7:02 am, Christopher Moraes <[email protected]> > wrote: > > >> >> > > > Hi Glen, > > > > >> >> > > > I've attached the modified agent.conf. > > > > >> >> > > > Regards, > > >> >> > > > Chris > > > > >> >> > > > On Mon, Jul 11, 2011 at 5:52 PM, brighamr > > >> >> > > > <[email protected]> > > >> >> > > wrote: > > >> >> > > > > Chris, > > > > >> >> > > > > I removed all of the astericks from the file (they were > appended > > >> >> > > > > to the end of the individual registry key elements). Did > you > > >> >> > > > > remove anything that wasn't in the registry keys section? > > > > >> >> > > > > For some reason, it still gives me the same error - even > after > > >> >> > > > > removing the astricks. > > > > >> >> > > > > Any chance you would upload your file that passes? I'll try > > >> >> > > > > testing that instead of guess/checking :-) > > > > >> >> > > > > I sincerely appreciate your help! > > > > >> >> > > > > Glenn > > > > >> >> > > > > On Jul 11, 1:18 pm, Christopher Moraes < > [email protected]> wrote: > > >> >> > > > > > I removed the "*" characters from the file and it now > passes > > >> >> > > > > > verify-agent-control. > > > > >> >> > > > > > On Mon, Jul 11, 2011 at 1:57 PM, Glenn B Roberts < > > >> >> > > > > [email protected]>wrote: > > > > >> >> > > > > > > Chris, > > > > >> >> > > > > > > Thank you for your response. My file doesn't contain > newline > > >> >> > > > > > > chars > > >> >> > > and > > >> >> > > > > it's > > >> >> > > > > > > still giving me an error. Can you please take a look at > the > > >> >> > > attached? > > > > >> >> > > > > > > Thanks! > > >> >> > > > > > > Glenn- Hide quoted text - > > > > >> >> > > > > > - Show quoted text - > > > > >> >> > > > agent.conf > > >> >> > > > 25KViewDownload- Hide quoted text - > > > > >> >> > > > - Show quoted text -- Hide quoted text - > > > > >> >> > - Show quoted text -- Hide quoted text - > > > > >> >> - Show quoted text -- Hide quoted text - > > > > >> - Show quoted text -- Hide quoted text - > > > > - Show quoted text -
