Try just using "Windows" and "Solaris" for the agent_config name.
<agent_config name="Windows">
<agent_config name="Solaris">
-agent.conf and ossec.conf of each system are combined .What happens
when values are contradicting ? -- From my experiences you'll see a
duplication error in the log.
Does agent.conf override local configurations? -- Not from what I've
seen, it appends them.
Agent control does work for windows. It might be a ports issue. Below
is a modified example.
root@ossec-core # ./agent_control -i 105
OSSEC HIDS agent_control. Agent information:
Agent ID: 105
Agent Name: win2k3
IP address: x.x.x.x
Status: Active
Operating system: Microsoft Windows Server 2003 R2 Enterprise
Edition ..
Client version: OSSEC HIDS v2.6 / <md5sum>
Last keep alive: Wed Nov 16 12:57:10 2011
Syscheck last started at: Wed Nov 16 11:39:51 2011
Rootcheck last started at: Tue Nov 15 21:56:49 2011
Steven
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of alsdks
Sent: Thursday, November 10, 2011 7:13 AM
To: ossec-list
Subject: [ossec-list] Agent.Conf: not getting it to work
Hello ,
Another starter's question . I am trying to make agent.conf work but
with no luck so far .
I have created the /var/ossec/etc/shared/agent.conf with the following
entries :
<agent_config name="windows7">
<syscheck>
<frequency>72000</frequency>
<directories check_all="yes">c:\test\</directories>
</syscheck>
</agent_config>
<agent_config name="solar1">
<syscheck>
<frequency>72000</frequency>
<directories check_all="yes">/opt/test</directories>
</syscheck>
</agent_config>
The agent.conf does get copied on target machines (a windows system
and a Solaris one ) successfully with no errors .However ossec.log in
either system is not indicating that it is monitoring the directories
specified in agent.conf. And changes are not caught.
Am I missing something ?
Oh and a couple of questions\notes :
-agent_control -R does not seem to do anything against Windows
platforms .In fact nothing of agent_control works against Windows ? Is
there a port that needs to be opened on the target system ? (server
side 1514 is open and in general I haven't anything blocking it ). Or
it does not work against Windows, period?
-agent.conf and ossec.conf of each system are combined .What happens
when values are contradicting ?
Does agent.conf override local configurations?
Thank you !
-----------------------------------------
The information in this message may be proprietary and/or
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer.
