On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman <[email protected]> wrote: > Let me start off with I love ossec, It's an amazing product if you take the > time to learn it and tune it. My manager is a CentOS box and my agent in > question is a Win 2003 R2 SP2 box. > > Syscheck seems to be very buggy, unless I am doing something wrong. There is > a directory on my agent that should never ever change - c:\lou. There is a > log dir within that dir which changes and should be ignored. I added this to > that agents ossec config: > > <ossec_config> > <syscheck> > <alert_new_files>yes</alert_new_files> > <directories realtime="yes" report_changes="yes" > check_all="yes">C:\lou</directories> > <ignore>C:\lou\logs</ignore> > </syscheck> > </ossec_config> > > I restarted ossec and I see the dir being monitored: > 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: 'C:\lou'. > > > I added a rule to my manager's local_rules.xml as a test to alert on new > files: > > <group name="local,"> > <rule id="554" level="14" overwrite="yes"> > <if_group>syscheck</if_group> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to an ossec monitored folder.</description> > <group>syscheck,</group> > </rule> > </group> > > I added a few files to the folder and waited. I did not get any alerts but I > did get this in my agents log: > > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create directory: > '/var/ossec/queue/diff/local/:\lou' > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: > 'C:\lou/delmetest.txt'. > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create directory: > '/var/ossec/queue/diff/local/:\lou' > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: > 'C:\lou/delme2.txt'. > 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. > > Does anyone see an issue with my config? Ossec knows that those are new > files, why do I not get an alert? Why is my windows ossec install looking > for the /var dir? Any help is greatly appreciated.
Did you set alert_new_files on the server? It doesn't mean anything on the agent. I don't know if report_changes works on Windows. I didn't think so, but I could be wrong.
