On Fri, Oct 26, 2012 at 1:14 PM, Joseph Moles <[email protected]> wrote: > I am running into an issue where the windows agent is installing and the > service starts, and after the initial syscheck scan the service receives a > shutdown command and has to be manually restarted. > > Here is the agent.conf: > > > <agent_config> > <!-- Rootcheck - Policy monitor config --> > <rootcheck> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > </rootcheck> > > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 20 hours. It doesn't need to be higher > - on most systems and one a day should be enough. > --> > <frequency>72000</frequency> > > <!-- By default it is disabled. In the Install you must choose > - to enable it. > --> > <disabled>no</disabled> > > > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > <directories check_all="yes">%WINDIR%/System32/at.exe</directories> > <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories> > <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories> > <directories check_all="yes">%WINDIR%/System32/debug.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/drwatson.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> > <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/net.exe</directories> > <directories check_all="yes">%WINDIR%/System32/net1.exe</directories> > <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/reg.exe</directories> > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/regedt32.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories> > <directories check_all="yes">%WINDIR%/System32/runas.exe</directories> > <directories check_all="yes">%WINDIR%/System32/sc.exe</directories> > <directories check_all="yes">%WINDIR%/System32/subst.exe</directories> > <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories> > <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> > <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories> > <directories check_all="yes">C:\Documents and Settings/All Users/Start > Menu/Programs/Startup</directories> > <ignore > type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > > <!-- Windows registry entries to monitor. --> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > Explorer</windows_registry> > > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > Manager\KnownDLLs</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Windows</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Winlogon</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > Setup\Installed Components</windows_registry> > > > > <!-- Windows registry entries to ignore. --> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > </syscheck> > > <active-response> > <disabled>yes</disabled> > </active-response> > > </agent_config> > > ossec.conf: > > <!-- OSSEC Win32 Agent Configuration. > - This file is compost of 3 main sections: > - - Client config - Settings to connect to the OSSEC server. > - - Localfile - Files/Event logs to monitor. > - - syscheck - System file/Registry entries to monitor. > - - Oct 10, 2012 - Removed all default settings in this file, all > settings are push via agent.conf JMoles > --> > > <!-- READ ME FIRST. If you are configuring OSSEC for the first time, > - try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent > - to execute it. > - > - First, add a server-ip entry with the real IP of your server. > - Second, and optionally, change the settings of the files you want > - to monitor. Look at our Manual and FAQ for more information. > - Third, start the Agent and enjoy. > - > - Example of server-ip: > - <client> <server-ip>1.2.3.4</server-ip> </client> > --> > > > <ossec_config> > > > </ossec_config> > > > <!-- END of Default Configuration. --> > > > <ossec_config> > <client> > <server-hostname>xxx.xxx.com</server-hostname> > </client> > </ossec_config> > > and the ossec log on the agent: > > 2012/10/23 20:00:04 (null): INFO: System is Vista or Windows Server 2008. > > 2012/10/23 20:00:07 ossec-agent(1905): INFO: No file configured to monitor. > > 2012/10/23 20:00:07 ossec-execd(1350): INFO: Active response disabled. > Exiting. > > 2012/10/23 20:00:07 ossec-agent(1410): INFO: Reading authentication keys > file. > > 2012/10/23 20:00:07 ossec-agent: INFO: Trying to connect to server > (redacted.hostname.com/xx.xx.xx.xx:1514). > > 2012/10/23 20:00:07 ossec-agent: INFO: Using IPv4 for: xx.xx.xx.xx . > > 2012/10/23 20:00:07 ossec-agent: Starting syscheckd thread. > > 2012/10/23 20:00:07 ossec-agent(1702): INFO: No directory provided for > syscheck to monitor. > > 2012/10/23 20:00:07 ossec-agent: WARN: Syscheck disabled. > > 2012/10/23 20:00:07 ossec-rootcheck: INFO: Started (pid: 2556). > > 2012/10/23 20:00:07 ossec-agent: INFO: Started (pid: 2556). > > 2012/10/23 20:00:10 ossec-agent(4102): INFO: Connected to the server > (redacted.hostname.com/xx.xx.xx.xx:1514). > > 2012/10/23 20:00:10 ossec-agent: INFO: System is Vista or Windows Server > 2008. > > 2012/10/23 20:00:10 ossec-agent: INFO: Started (pid: 2556). > > 2012/10/23 20:01:37 ossec-agent: INFO: Starting rootcheck scan. > > 2012/10/23 20:01:37 ossec-agent: No winaudit file configured. > > 2012/10/23 20:01:37 ossec-agent: No winmalware file configured. > > 2012/10/23 20:01:37 ossec-agent: No winapps file configured. > > 2012/10/23 20:01:42 ossec-agent: INFO: Ending rootcheck scan. > > 2012/10/24 10:34:05 ossec-agent: Received exit signal. > > 2012/10/24 10:34:05 ossec-agent: Exiting... > > 2012/10/24 10:34:06 > > 2012/10/24 10:34:06 (null): INFO: System is Vista or Windows Server 2008. > > 2012/10/25 20:19:17 > > 2012/10/25 20:19:17 (null): INFO: System is Vista or Windows Server 2008. > > 2012/10/26 11:26:52 ossec-agent(1905): INFO: No file configured to monitor. > > 2012/10/26 11:26:53 ossec-execd(1350): INFO: Active response disabled. > Exiting. > > 2012/10/26 11:26:53 ossec-agent(1410): INFO: Reading authentication keys > file. > > 2012/10/26 11:26:53 ossec-agent: INFO: Assigning counter for agent > redacted_agentname: '4:4735'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Assigning sender counter: 0:518 > > 2012/10/26 11:26:53 ossec-agent: INFO: Trying to connect to server > (redacted.hostname.com/xx.xx.xx.xx:1514). > > 2012/10/26 11:26:53 ossec-agent: INFO: Using IPv4 for: xx.xx.xx.xx . > > 2012/10/26 11:26:53 ossec-agent: Starting syscheckd thread. > > 2012/10/26 11:26:53 ossec-rootcheck: INFO: Started (pid: 2084). > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > Manager\KnownDLLs'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/win.ini'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/system.ini'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\autoexec.bat'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\config.sys'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: 'C:\boot.ini'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/CONFIG.NT'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/AUTOEXEC.NT'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/at.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/attrib.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/cacls.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/debug.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drwatson.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drwtsn32.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/edlin.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/eventcreate.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/eventtriggers.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/ftp.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/net.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/net1.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/netsh.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rcp.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/reg.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/regedit.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/regedt32.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/regsvr32.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rexec.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rsh.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/runas.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/sc.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/subst.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/telnet.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/tftp.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/tlntsvr.exe'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drivers/etc'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Monitoring directory: 'C:\Documents > and Settings/All Users/Start Menu/Programs/Startup'. > > 2012/10/26 11:26:53 ossec-agent: INFO: Started (pid: 2084). > > 2012/10/26 11:26:54 ossec-agent(4102): INFO: Connected to the server > (redacted.hostname.com/xx.xx.xx.xx:1514). > > 2012/10/26 11:26:54 ossec-agent: INFO: System is Vista or Windows Server > 2008. > > 2012/10/26 11:26:54 ossec-agent: INFO: Started (pid: 2084). > > 2012/10/26 11:27:53 ossec-agent: INFO: Starting syscheck scan (forwarding > database). > > 2012/10/26 11:27:53 ossec-agent: INFO: Starting syscheck database > (pre-scan). > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\boot.ini': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/CONFIG.NT': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/debug.exe': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwatson.exe': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwtsn32.exe': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/edlin.exe': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/eventtriggers.exe': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rcp.exe': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rexec.exe': No such file or directory > > 2012/10/26 11:27:53 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rsh.exe': No such file or directory > > 2012/10/26 11:27:55 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/telnet.exe': No such file or directory > > 2012/10/26 11:27:55 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tftp.exe': No such file or directory > > 2012/10/26 11:27:55 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tlntsvr.exe': No such file or directory > > 2012/10/26 11:27:55 ossec-agent: INFO: Finished creating syscheck database > (pre-scan completed). > > 2012/10/26 11:28:05 ossec-agent: INFO: Ending syscheck scan (forwarding > database). > > 2012/10/26 11:28:25 ossec-agent: INFO: Starting rootcheck scan. > > 2012/10/26 11:28:30 ossec-agent: INFO: Ending rootcheck scan. > >
Does your OSSEC server have an active response setup to restart the agent or anything? What version of OSSEC? How do you know the OSSEC processes receive a "shutdown command?"
