Hello OSSEC Gurus I know have several experiences in OSSEC und Linux systems. My environment covers more than that and so I'm expanding my OSSEC installations to the next OS. I know there are several differences for using OSSEC on Linux and on Windows. The error and the strange behavior I am seeing are not clearly answered here in the forum and could also be a serious bug.
I will start with my configuration on the agent. (Only pasted are the nececary parts of the config) <directories check_all="yes" " realtime="yes">C:\ossecTEST</directories> I have created a textfile for testing called TESTFILE.txt, which was empty for the beginning. After the syscheck run, I see the following in the ossec.log on the windows agent. 2012/07/11 16:52:00 ossec-agent: INFO: Starting syscheck scan. 2012/07/11 16:52:00 ossec-agent: DEBUG: Starting os_winreg_check 2012/07/11 16:52:16 ossec-agent(1107): ERROR: Unable to create directory: '/var/ossec/queue/diff/local/:\ossecTEST' 2012/07/11 16:52:16 ossec-agent(1124): ERROR: Unable to rename file: 'C:\ossecTEST/TESTFILE.txt'. 2012/07/11 16:52:36 ossec-agent: INFO: Ending syscheck scan. Now to the strange behavior. If I now want to delete the TESTFILE.txt I get a "File In Use" notification alert from Windows which tells me that "The action can't be completed because the file is open in OSSEC Hids". The error above and the same notification alert do I receive for a second test file. This means, if I have OSSEC monitoring in realtime a directory, all the files can't be deleted anymore. Does anyone have an idea if I do something wrong or if this is a bug? I think this might have something to do with the error message I see in the mail. But maybe this is also something different, any idea about that? Thank you for your support. Oliver
