Let me start off with I love ossec, It's an amazing product if you take the time to learn it and tune it. My manager is a CentOS box and my agent in question is a Win 2003 R2 SP2 box.
Syscheck seems to be very buggy, unless I am doing something wrong. There is a directory on my agent that should never ever change - c:\lou. There is a log dir within that dir which changes and should be ignored. I added this to that agents ossec config: <ossec_config> <syscheck> <alert_new_files>yes</alert_new_files> <directories realtime="yes" report_changes="yes" check_all="yes">C:\lou</directories> <ignore>C:\lou\logs</ignore> </syscheck> </ossec_config> I restarted ossec and I see the dir being monitored: 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: 'C:\lou'. I added a rule to my manager's local_rules.xml as a test to alert on new files: <group name="local,"> <rule id="554" level="14" overwrite="yes"> <if_group>syscheck</if_group> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to an ossec monitored folder.</description> <group>syscheck,</group> </rule> </group> I added a few files to the folder and waited. I did not get any alerts but I did get this in my agents log: 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create directory: '/var/ossec/queue/diff/local/:\lou' 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: 'C:\lou/delmetest.txt'. 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create directory: '/var/ossec/queue/diff/local/:\lou' 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: 'C:\lou/delme2.txt'. 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. Does anyone see an issue with my config? Ossec knows that those are new files, why do I not get an alert? Why is my windows ossec install looking for the /var dir? Any help is greatly appreciated.
