<agent_config os="Windows">
<syscheck>
<!-- <frequency>31557600</frequency> -->
<scan_time>01:15</scan_time>
<scan_on_start>no</scan_on_start>
</syscheck>
<localfile>
<log_format>full_command</log_format>
<command>ver | find "5.0" >nul || reg QUERY HKLM\System
\CurrentControlSet\Enum\USBSTOR</command>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -an | find "LISTEN" | find /V "127.0.0.1"</
command>
</localfile>
</agent_config>
On Jul 29, 9:03 am, "dan (ddp)" <[email protected]> wrote:
> Can you provide the agent.conf?
>
>
>
>
>
>
>
> On Fri, Jul 29, 2011 at 11:32 AM, BP9906 <[email protected]> wrote:
> > Figured out that 2.6 doesnt like the full_command agent.conf section
> > and thats a bug. Reverting to 2.5.1 resolves the issue.
>
> > On Jul 28, 9:04 am, BP9906 <[email protected]> wrote:
> >> Hello,
> >> I added a few windows changes to the agent.conf file. After waiting a
> >> few hours for the agent.conf to get updated, I restarted the agent and
> >> noticed an odd error in the ossec.log:
>
> >> 011/07/28 08:44:33 ossec-agent: Received exit signal.
> >> 2011/07/28 08:44:33 ossec-agent: Exiting...
> >> 2011/07/28 08:44:33 ossec-agent: Remote commands are not accepted from
> >> the manager. Ignoring it on the agent.conf
> >> 2011/07/28 08:44:33 ossec-agent(1202): ERROR: Configuration error at
> >> 'shared/agent.conf'. Exiting.
> >> 2011/07/28 08:44:33 ossec-execd(1350): INFO: Active response disabled.
> >> Exiting.
> >> 2011/07/28 08:44:33 ossec-agent(1410): INFO: Reading authentication
> >> keys file.
>
> >> Oddly enough, different machine with 2.5 does not show this and has
> >> the same md5 agent.conf.
>
> >> I'm in process of downgrading the 2.6 agent to 2.5 and confirm
> >> resolution.
>
> >> Any ideas whats going on here?
