On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman <[email protected]> wrote: > I am adding this now, I will test and let you know my results. > > I thought that the ossec.conf on the manager related to the agent running on > the manager doing checks of itself? Similar to the ossec.conf file on any > agent. > > Thanks > >
It does, but it also governs the alerts it sends out. Agents do not create alerts, only the server. > > On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman >> <[email protected]> wrote: >> > I did not set it on the server. Where/how would I do that? >> > >> > Thanks for your quick response!!!! >> > >> >> In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block. >> >> http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html >> >> >> From one of my ossec.confs: >> >> <syscheck> >> <!-- Frequency that syscheck is executed - default to every 22 hours >> --> >> <frequency>7200</frequency> >> <alert_new_files>yes</alert_new_files> >> <auto_ignore>no</auto_ignore> >> ... >> </syscheck> >> >> > >> > >> > On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman >> >> <[email protected]> wrote: >> >> > Let me start off with I love ossec, It's an amazing product if you >> >> > take >> >> > the >> >> > time to learn it and tune it. My manager is a CentOS box and my agent >> >> > in >> >> > question is a Win 2003 R2 SP2 box. >> >> > >> >> > Syscheck seems to be very buggy, unless I am doing something wrong. >> >> > There is >> >> > a directory on my agent that should never ever change - c:\lou. There >> >> > is >> >> > a >> >> > log dir within that dir which changes and should be ignored. I added >> >> > this to >> >> > that agents ossec config: >> >> > >> >> > <ossec_config> >> >> > <syscheck> >> >> > <alert_new_files>yes</alert_new_files> >> >> > <directories realtime="yes" report_changes="yes" >> >> > check_all="yes">C:\lou</directories> >> >> > <ignore>C:\lou\logs</ignore> >> >> > </syscheck> >> >> > </ossec_config> >> >> > >> >> > I restarted ossec and I see the dir being monitored: >> >> > 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: >> >> > 'C:\lou'. >> >> > >> >> > >> >> > I added a rule to my manager's local_rules.xml as a test to alert on >> >> > new >> >> > files: >> >> > >> >> > <group name="local,"> >> >> > <rule id="554" level="14" overwrite="yes"> >> >> > <if_group>syscheck</if_group> >> >> > <decoded_as>syscheck_new_entry</decoded_as> >> >> > <description>File added to an ossec monitored folder.</description> >> >> > <group>syscheck,</group> >> >> > </rule> >> >> > </group> >> >> > >> >> > I added a few files to the folder and waited. I did not get any >> >> > alerts >> >> > but I >> >> > did get this in my agents log: >> >> > >> >> > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >> >> > directory: >> >> > '/var/ossec/queue/diff/local/:\lou' >> >> > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: >> >> > 'C:\lou/delmetest.txt'. >> >> > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >> >> > directory: >> >> > '/var/ossec/queue/diff/local/:\lou' >> >> > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: >> >> > 'C:\lou/delme2.txt'. >> >> > 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. >> >> > >> >> > Does anyone see an issue with my config? Ossec knows that those are >> >> > new >> >> > files, why do I not get an alert? Why is my windows ossec install >> >> > looking >> >> > for the /var dir? Any help is greatly appreciated. >> >> >> >> Did you set alert_new_files on the server? It doesn't mean anything on >> >> the agent. >> >> I don't know if report_changes works on Windows. I didn't think so, >> >> but I could be wrong.
