On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman <[email protected]> wrote: > I did not set it on the server. Where/how would I do that? > > Thanks for your quick response!!!! >
In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block. http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html >From one of my ossec.confs: <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>7200</frequency> <alert_new_files>yes</alert_new_files> <auto_ignore>no</auto_ignore> ... </syscheck> > > > On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman >> <[email protected]> wrote: >> > Let me start off with I love ossec, It's an amazing product if you take >> > the >> > time to learn it and tune it. My manager is a CentOS box and my agent in >> > question is a Win 2003 R2 SP2 box. >> > >> > Syscheck seems to be very buggy, unless I am doing something wrong. >> > There is >> > a directory on my agent that should never ever change - c:\lou. There is >> > a >> > log dir within that dir which changes and should be ignored. I added >> > this to >> > that agents ossec config: >> > >> > <ossec_config> >> > <syscheck> >> > <alert_new_files>yes</alert_new_files> >> > <directories realtime="yes" report_changes="yes" >> > check_all="yes">C:\lou</directories> >> > <ignore>C:\lou\logs</ignore> >> > </syscheck> >> > </ossec_config> >> > >> > I restarted ossec and I see the dir being monitored: >> > 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: 'C:\lou'. >> > >> > >> > I added a rule to my manager's local_rules.xml as a test to alert on new >> > files: >> > >> > <group name="local,"> >> > <rule id="554" level="14" overwrite="yes"> >> > <if_group>syscheck</if_group> >> > <decoded_as>syscheck_new_entry</decoded_as> >> > <description>File added to an ossec monitored folder.</description> >> > <group>syscheck,</group> >> > </rule> >> > </group> >> > >> > I added a few files to the folder and waited. I did not get any alerts >> > but I >> > did get this in my agents log: >> > >> > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >> > directory: >> > '/var/ossec/queue/diff/local/:\lou' >> > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: >> > 'C:\lou/delmetest.txt'. >> > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >> > directory: >> > '/var/ossec/queue/diff/local/:\lou' >> > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: >> > 'C:\lou/delme2.txt'. >> > 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. >> > >> > Does anyone see an issue with my config? Ossec knows that those are new >> > files, why do I not get an alert? Why is my windows ossec install >> > looking >> > for the /var dir? Any help is greatly appreciated. >> >> Did you set alert_new_files on the server? It doesn't mean anything on >> the agent. >> I don't know if report_changes works on Windows. I didn't think so, >> but I could be wrong.
