Hi Dan

Amazing, I feel like an idiot. My colleague and me we both didn't see that 
one. Problem solved.  We removed the report_changes="yes" part, since this 
is not working under windows, but missed the last double quote.

Thank you!

Am Mittwoch, 11. Juli 2012 17:31:49 UTC+2 schrieb dan (ddpbsd):
>
> On Wed, Jul 11, 2012 at 11:18 AM, OK <[email protected]> wrote: 
> > Hello OSSEC Gurus 
> > 
> > I know have several experiences in OSSEC und Linux systems. My 
> environment 
> > covers more than that and so I'm expanding my OSSEC installations to the 
> > next OS. I know there are several differences for using OSSEC on Linux 
> and 
> > on Windows. The error and the strange behavior I am seeing are not 
> clearly 
> > answered here in the forum and could also be a serious bug. 
> > 
> > 
> > I will start with my configuration on the agent. (Only pasted are the 
> > nececary parts of the config) 
> > 
> > <directories check_all="yes" " realtime="yes">C:\ossecTEST</directories> 
> > 
>
> Try removing the extra double quote. 
>
> > I have created a textfile for testing called TESTFILE.txt, which was 
> empty 
> > for the beginning. After the syscheck run, I see the following in the 
> > ossec.log on the windows agent. 
> > 
> > 2012/07/11 16:52:00 ossec-agent: INFO: Starting syscheck scan. 
> > 2012/07/11 16:52:00 ossec-agent: DEBUG: Starting os_winreg_check 
> > 2012/07/11 16:52:16 ossec-agent(1107): ERROR: Unable to create 
> directory: 
> > '/var/ossec/queue/diff/local/:\ossecTEST' 
> > 2012/07/11 16:52:16 ossec-agent(1124): ERROR: Unable to rename file: 
> > 'C:\ossecTEST/TESTFILE.txt'. 
> > 2012/07/11 16:52:36 ossec-agent: INFO: Ending syscheck scan. 
> > 
> > 
> > Now to the strange behavior. If I now want to delete the TESTFILE.txt I 
> get 
> > a "File In Use" notification alert from Windows which tells me that "The 
> > action can't be completed because the file is open in OSSEC Hids". The 
> error 
> > above and the same notification alert do I receive for a second test 
> file. 
> > This means, if I have OSSEC monitoring in realtime a directory, all the 
> > files can't be deleted anymore. Does anyone have an idea if I do 
> something 
> > wrong or if this is a bug? I think this might have something to do with 
> the 
> > error message I see in the mail. But maybe this is also something 
> different, 
> > any idea about that? 
> > 
> > Thank you for your support. 
> > Oliver 
> > 
>

Reply via email to