Hi Dan Amazing, I feel like an idiot. My colleague and me we both didn't see that one. Problem solved. We removed the report_changes="yes" part, since this is not working under windows, but missed the last double quote.
Thank you! Am Mittwoch, 11. Juli 2012 17:31:49 UTC+2 schrieb dan (ddpbsd): > > On Wed, Jul 11, 2012 at 11:18 AM, OK <[email protected]> wrote: > > Hello OSSEC Gurus > > > > I know have several experiences in OSSEC und Linux systems. My > environment > > covers more than that and so I'm expanding my OSSEC installations to the > > next OS. I know there are several differences for using OSSEC on Linux > and > > on Windows. The error and the strange behavior I am seeing are not > clearly > > answered here in the forum and could also be a serious bug. > > > > > > I will start with my configuration on the agent. (Only pasted are the > > nececary parts of the config) > > > > <directories check_all="yes" " realtime="yes">C:\ossecTEST</directories> > > > > Try removing the extra double quote. > > > I have created a textfile for testing called TESTFILE.txt, which was > empty > > for the beginning. After the syscheck run, I see the following in the > > ossec.log on the windows agent. > > > > 2012/07/11 16:52:00 ossec-agent: INFO: Starting syscheck scan. > > 2012/07/11 16:52:00 ossec-agent: DEBUG: Starting os_winreg_check > > 2012/07/11 16:52:16 ossec-agent(1107): ERROR: Unable to create > directory: > > '/var/ossec/queue/diff/local/:\ossecTEST' > > 2012/07/11 16:52:16 ossec-agent(1124): ERROR: Unable to rename file: > > 'C:\ossecTEST/TESTFILE.txt'. > > 2012/07/11 16:52:36 ossec-agent: INFO: Ending syscheck scan. > > > > > > Now to the strange behavior. If I now want to delete the TESTFILE.txt I > get > > a "File In Use" notification alert from Windows which tells me that "The > > action can't be completed because the file is open in OSSEC Hids". The > error > > above and the same notification alert do I receive for a second test > file. > > This means, if I have OSSEC monitoring in realtime a directory, all the > > files can't be deleted anymore. Does anyone have an idea if I do > something > > wrong or if this is a bug? I think this might have something to do with > the > > error message I see in the mail. But maybe this is also something > different, > > any idea about that? > > > > Thank you for your support. > > Oliver > > >
