I did not set it on the server. Where/how would I do that? Thanks for your quick response!!!!
On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) wrote: > > On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman > <[email protected] <javascript:>> wrote: > > Let me start off with I love ossec, It's an amazing product if you take > the > > time to learn it and tune it. My manager is a CentOS box and my agent in > > question is a Win 2003 R2 SP2 box. > > > > Syscheck seems to be very buggy, unless I am doing something wrong. > There is > > a directory on my agent that should never ever change - c:\lou. There is > a > > log dir within that dir which changes and should be ignored. I added > this to > > that agents ossec config: > > > > <ossec_config> > > <syscheck> > > <alert_new_files>yes</alert_new_files> > > <directories realtime="yes" report_changes="yes" > > check_all="yes">C:\lou</directories> > > <ignore>C:\lou\logs</ignore> > > </syscheck> > > </ossec_config> > > > > I restarted ossec and I see the dir being monitored: > > 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: 'C:\lou'. > > > > > > I added a rule to my manager's local_rules.xml as a test to alert on new > > files: > > > > <group name="local,"> > > <rule id="554" level="14" overwrite="yes"> > > <if_group>syscheck</if_group> > > <decoded_as>syscheck_new_entry</decoded_as> > > <description>File added to an ossec monitored folder.</description> > > <group>syscheck,</group> > > </rule> > > </group> > > > > I added a few files to the folder and waited. I did not get any alerts > but I > > did get this in my agents log: > > > > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create > directory: > > '/var/ossec/queue/diff/local/:\lou' > > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: > > 'C:\lou/delmetest.txt'. > > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create > directory: > > '/var/ossec/queue/diff/local/:\lou' > > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: > > 'C:\lou/delme2.txt'. > > 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. > > > > Does anyone see an issue with my config? Ossec knows that those are new > > files, why do I not get an alert? Why is my windows ossec install > looking > > for the /var dir? Any help is greatly appreciated. > > Did you set alert_new_files on the server? It doesn't mean anything on > the agent. > I don't know if report_changes works on Windows. I didn't think so, > but I could be wrong. >
