<!-- OSSEC Win32 Agent Configuration.
- This file is compost of 3 main sections:
- - Client config - Settings to connect to the OSSEC server.
- - Localfile - Files/Event logs to monitor.
- - syscheck - System file/Registry entries to monitor.
-->
<!-- READ ME FIRST. If you are configuring OSSEC for the first time,
- try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<!--
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
-->
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 18 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>64800</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/system32</directories>
<!-- Default files to be ignored. -->
<ignore>%WINDIR%/System32/LogFiles</ignore>
<ignore>%WINDIR%/system32/wbem/Logs</ignore>
<ignore>%WINDIR%/system32/config</ignore>
<ignore>%WINDIR%/system32/CatRoot</ignore>
<ignore>%WINDIR%/system32/wbem/Repository</ignore>
<ignore>%WINDIR%/system32/dllcache</ignore>
<ignore>%WINDIR%/system32/inetsrv/History</ignore>
<ignore>%WINDIR%/system32/winevt/Logs</ignore>
<ignore>%WINDIR%/system32/spool</ignore>
<ignore>%WINDIR%/system32/Tasks</ignore>
<ignore
type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Prefetcher</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Schedule\TaskCache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-ip>144.122.190.48</server-ip>
</client>
</ossec_config>
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
1.888.601.4440 | * [email protected]
This message is intended for use only by the person(s) addressed above and
may contain privileged and confidential information. Disclosure or use of
this message by any other person is strictly prohibited. If this message
is received in error, please notify the sender immediately and delete this
message.
From:
Frank Stefan Sundberg Solli <[email protected]>
To:
[email protected]
Date:
08/20/2012 09:44 AM
Subject:
Re: [ossec-list] ossec service stops immediately after start
Sent by:
[email protected]
Check that your config file is existent and that it is readable, also if
yit exists paste it here.
On Mon, Aug 20, 2012 at 4:27 PM, Michael Barrett <[email protected]
> wrote:
Windows 2003
Faulting application ossec-agent.exe, version 0.0.0.0, faulting module
ossec-agent.exe, version 0.0.0.0, fault address 0x00030b6f.
ossec.log
2012/08/20 09:25:30 ossec-agent(1905): INFO: No file configured to
monitor.
2012/08/20 09:25:30 ossec-execd(1350): INFO: Active response disabled.
Exiting.
2012/08/20 09:25:30 ossec-agent(1410): INFO: Reading authentication keys
file.
fresh install
anyone have any ideas what do check?
same config files works on hundreds of other systems
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
1.888.601.4440 | * [email protected]
This message is intended for use only by the person(s) addressed above and
may contain privileged and confidential information. Disclosure or use of
this message by any other person is strictly prohibited. If this message
is received in error, please notify the sender immediately and delete this
message.
--
MVH/With regards
Frank
--
Name: Frank Stefan Sundberg Solli
E-mail: [email protected]
Web: http://0x41.me
GPG: 684119F4
