Sorry for asking for the agent.conf. This is a change that was made. Commands can no longer be configured through the agent.conf. https://bitbucket.org/dcid/ossec-hids/changeset/392c217c553b I'm not entirely sure why, but that's the way it is.
On Fri, Jul 29, 2011 at 12:24 PM, BP9906 <[email protected]> wrote: > <agent_config os="Windows"> > <syscheck> > <!-- <frequency>31557600</frequency> --> > <scan_time>01:15</scan_time> > <scan_on_start>no</scan_on_start> > > </syscheck> > > <localfile> > <log_format>full_command</log_format> > <command>ver | find "5.0" >nul || reg QUERY HKLM\System > \CurrentControlSet\Enum\USBSTOR</command> > </localfile> > > <localfile> > <log_format>full_command</log_format> > <command>netstat -an | find "LISTEN" | find /V "127.0.0.1"</ > command> > </localfile> > > </agent_config> > > > On Jul 29, 9:03 am, "dan (ddp)" <[email protected]> wrote: >> Can you provide the agent.conf? >> >> >> >> >> >> >> >> On Fri, Jul 29, 2011 at 11:32 AM, BP9906 <[email protected]> wrote: >> > Figured out that 2.6 doesnt like the full_command agent.conf section >> > and thats a bug. Reverting to 2.5.1 resolves the issue. >> >> > On Jul 28, 9:04 am, BP9906 <[email protected]> wrote: >> >> Hello, >> >> I added a few windows changes to the agent.conf file. After waiting a >> >> few hours for the agent.conf to get updated, I restarted the agent and >> >> noticed an odd error in the ossec.log: >> >> >> 011/07/28 08:44:33 ossec-agent: Received exit signal. >> >> 2011/07/28 08:44:33 ossec-agent: Exiting... >> >> 2011/07/28 08:44:33 ossec-agent: Remote commands are not accepted from >> >> the manager. Ignoring it on the agent.conf >> >> 2011/07/28 08:44:33 ossec-agent(1202): ERROR: Configuration error at >> >> 'shared/agent.conf'. Exiting. >> >> 2011/07/28 08:44:33 ossec-execd(1350): INFO: Active response disabled. >> >> Exiting. >> >> 2011/07/28 08:44:33 ossec-agent(1410): INFO: Reading authentication >> >> keys file. >> >> >> Oddly enough, different machine with 2.5 does not show this and has >> >> the same md5 agent.conf. >> >> >> I'm in process of downgrading the 2.6 agent to 2.5 and confirm >> >> resolution. >> >> >> Any ideas whats going on here?
