On Wed, Jul 11, 2012 at 11:18 AM, OK <[email protected]> wrote: > Hello OSSEC Gurus > > I know have several experiences in OSSEC und Linux systems. My environment > covers more than that and so I'm expanding my OSSEC installations to the > next OS. I know there are several differences for using OSSEC on Linux and > on Windows. The error and the strange behavior I am seeing are not clearly > answered here in the forum and could also be a serious bug. > > > I will start with my configuration on the agent. (Only pasted are the > nececary parts of the config) > > <directories check_all="yes" " realtime="yes">C:\ossecTEST</directories> >
Try removing the extra double quote. > I have created a textfile for testing called TESTFILE.txt, which was empty > for the beginning. After the syscheck run, I see the following in the > ossec.log on the windows agent. > > 2012/07/11 16:52:00 ossec-agent: INFO: Starting syscheck scan. > 2012/07/11 16:52:00 ossec-agent: DEBUG: Starting os_winreg_check > 2012/07/11 16:52:16 ossec-agent(1107): ERROR: Unable to create directory: > '/var/ossec/queue/diff/local/:\ossecTEST' > 2012/07/11 16:52:16 ossec-agent(1124): ERROR: Unable to rename file: > 'C:\ossecTEST/TESTFILE.txt'. > 2012/07/11 16:52:36 ossec-agent: INFO: Ending syscheck scan. > > > Now to the strange behavior. If I now want to delete the TESTFILE.txt I get > a "File In Use" notification alert from Windows which tells me that "The > action can't be completed because the file is open in OSSEC Hids". The error > above and the same notification alert do I receive for a second test file. > This means, if I have OSSEC monitoring in realtime a directory, all the > files can't be deleted anymore. Does anyone have an idea if I do something > wrong or if this is a bug? I think this might have something to do with the > error message I see in the mail. But maybe this is also something different, > any idea about that? > > Thank you for your support. > Oliver >
