Not sure about the unable to create and unable to rename file errors. I'll have to look to see if I'm seeing those anywhere.
The reason I asked you to create the file in SysWOW64 is that I believe the ossec client is not looking where you think it is for files and for registry entries. A 32 bit application on 64 bit Windows will by default change all C:\WINDOWS\System32 directory paths to C:\WINDOWS\SysWOW64, so essentially you are not doing file integrity on the files in C:\WINDOWS\System32. For more info on 32bit apps and file paths and registry paths, go here : http://en.wikipedia.org/wiki/WoW64 The WoW64 subsystem also handles other key aspects of running 32-bit applications. It's involved in managing the interaction of 32-bit applications with the Windows components such as the Registry, which has distinct keys for 64-bit and 32-bit applications. For example HKEY_LOCAL_MACHINE\Software\Wow6432Node is the 32-bit equivalent of HKEY_LOCAL_MACHINE\Software (although 32-bit applications are not aware of this redirection). Some Registry keys are mapped from 64-bit to their 32-bit equivalents, while others have their contents mirrored, depending on the edition of Windows. The operating system uses the %SystemRoot%\system32 directory for its 64-bit library and executable files. This is done for backward compatibility reasons, as many legacy applications are hardcoded to use that path. When executing 32-bit applications, WoW64 transparently redirects 32-bit DLLs to %SystemRoot%\SysWOW64, which contains 32-bit libraries and executables. 32-bit applications are generally not aware that they are running on a 64-bit operating system. 32-bit applications can access %SystemRoot%\System32 through the pseudo directory %SystemRoot%\sysnative. Jeff On Feb 17, 5:30 am, alsdks <[email protected]> wrote: > Hello, > > But the telnet.exe exists at the directory C:\WINDOWS/System32/ and > still we get the error. > Why create a file under SysWOW64? Ossec.conf doesn't specify this path > anyway and in addition Windows 2003 default security protects these > executables. You cannot change them , like renaming them or placing a > file with the same name at the same directory etc. > > For the above reason(Windows default security) I am more interested > in the other two errors. > > 2012/01/19 15:02:43 ossec-agent(1107): ERROR: Unable to create > directory: '/var/ossec/queue/diff/local/:\WINDOWS' > > 2012/01/19 15:02:43 ossec-agent(1124): ERROR: Unable to rename file: > 'C:\WINDOWS/System32/drivers/etc/hosts'. > > Not that the telnet errors and the like are of no interest too. There > should not be such errors since the files exit at the specified > path. > > Thank you. > > On Feb 7, 6:53 pm, sunny <[email protected]> wrote: > > > > > > > > > Assuming this is a 64 bit version of Windows.... > > > Can you create the following file: > > > C:\WINDOWS\SysWOW64\telnet.exe > > > It can just be empty.... and restart ossec and see if the message > > goes away? > > > Jeff > > > On Feb 3, 8:04 am, alsdks <[email protected]> wrote: > > > > Hello list, > > > > Windows Ossec agent , default ossec.conf configuration, spits out a > > > lot of errors I believe others have noticed it as well but I could > > > not find a relative post .I was wondering if someone knew what they > > > mean and how can they be resolved . > > > > For example : > > > > ossec-agent: WARN: Error opening directory: 'C:\WINDOWS/System32/ > > > telnet.exe': No such file or directory > > > > This error pops every time the syscheck is run , though the file > > > exists and is there.Also Windows is agnostic of the direction of the > > > slashes , so there must not be a problem there.If you put the above > > > bun in Windows run or in a cmd prompt and hit enter , your are > > > presented with a telnet prompt. > > > > Another group of mysterious errors that I do not know what affect they > > > have to the monitoring ability of OSSEC are the following: > > > > 2012/01/19 15:02:43 ossec-agent(1107): ERROR: Unable to create > > > directory: '/var/ossec/queue/diff/local/:\WINDOWS' > > > > 2012/01/19 15:02:43 ossec-agent(1124): ERROR: Unable to rename file: > > > 'C:\WINDOWS/System32/drivers/etc/hosts'. > > > > What do they mean ? The first error (1107) refers to Ossec server > > > path ? > > > > Anyone else noticed this behavior ? > > > > I am trying to troubleshoot Ossec's Windows monitoring unstable > > > behavior and am wondering if the above errors are responsible. > > > > Thank you
