I am adding this now, I will test and let you know my results. I thought that the ossec.conf on the manager related to the agent running on the manager doing checks of itself? Similar to the ossec.conf file on any agent.
Thanks On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) wrote: > > On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman > <[email protected] <javascript:>> wrote: > > I did not set it on the server. Where/how would I do that? > > > > Thanks for your quick response!!!! > > > > In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block. > > http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html > > > From one of my ossec.confs: > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > <frequency>7200</frequency> > <alert_new_files>yes</alert_new_files> > <auto_ignore>no</auto_ignore> > ... > </syscheck> > > > > > > > On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) wrote: > >> > >> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman > >> <[email protected]> wrote: > >> > Let me start off with I love ossec, It's an amazing product if you > take > >> > the > >> > time to learn it and tune it. My manager is a CentOS box and my agent > in > >> > question is a Win 2003 R2 SP2 box. > >> > > >> > Syscheck seems to be very buggy, unless I am doing something wrong. > >> > There is > >> > a directory on my agent that should never ever change - c:\lou. There > is > >> > a > >> > log dir within that dir which changes and should be ignored. I added > >> > this to > >> > that agents ossec config: > >> > > >> > <ossec_config> > >> > <syscheck> > >> > <alert_new_files>yes</alert_new_files> > >> > <directories realtime="yes" report_changes="yes" > >> > check_all="yes">C:\lou</directories> > >> > <ignore>C:\lou\logs</ignore> > >> > </syscheck> > >> > </ossec_config> > >> > > >> > I restarted ossec and I see the dir being monitored: > >> > 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: > 'C:\lou'. > >> > > >> > > >> > I added a rule to my manager's local_rules.xml as a test to alert on > new > >> > files: > >> > > >> > <group name="local,"> > >> > <rule id="554" level="14" overwrite="yes"> > >> > <if_group>syscheck</if_group> > >> > <decoded_as>syscheck_new_entry</decoded_as> > >> > <description>File added to an ossec monitored folder.</description> > >> > <group>syscheck,</group> > >> > </rule> > >> > </group> > >> > > >> > I added a few files to the folder and waited. I did not get any > alerts > >> > but I > >> > did get this in my agents log: > >> > > >> > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create > >> > directory: > >> > '/var/ossec/queue/diff/local/:\lou' > >> > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: > >> > 'C:\lou/delmetest.txt'. > >> > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create > >> > directory: > >> > '/var/ossec/queue/diff/local/:\lou' > >> > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: > >> > 'C:\lou/delme2.txt'. > >> > 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. > >> > > >> > Does anyone see an issue with my config? Ossec knows that those are > new > >> > files, why do I not get an alert? Why is my windows ossec install > >> > looking > >> > for the /var dir? Any help is greatly appreciated. > >> > >> Did you set alert_new_files on the server? It doesn't mean anything on > >> the agent. > >> I don't know if report_changes works on Windows. I didn't think so, > >> but I could be wrong. >
