On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman
<[email protected]> wrote:
> I am adding this now, I will test and let you know my results.
>
> I thought that the ossec.conf on the manager related to the agent running on
> the manager doing checks of itself? Similar to the ossec.conf file on any
> agent.
>
> Thanks
>
>

It does, but it also governs the alerts it sends out. Agents do not
create alerts, only the server.

>
> On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) wrote:
>>
>> On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman
>> <[email protected]> wrote:
>> > I did not set it on the server. Where/how would I do that?
>> >
>> > Thanks for your quick response!!!!
>> >
>>
>> In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block.
>>
>> http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html
>>
>>
>> From one of my ossec.confs:
>>
>>   <syscheck>
>>     <!-- Frequency that syscheck is executed - default to every 22 hours
>> -->
>>     <frequency>7200</frequency>
>>     <alert_new_files>yes</alert_new_files>
>>     <auto_ignore>no</auto_ignore>
>>      ...
>>    </syscheck>
>>
>> >
>> >
>> > On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) wrote:
>> >>
>> >> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman
>> >> <[email protected]> wrote:
>> >> > Let me start off with I love ossec, It's an amazing product if you
>> >> > take
>> >> > the
>> >> > time to learn it and tune it. My manager is a CentOS box and my agent
>> >> > in
>> >> > question is a Win 2003 R2 SP2 box.
>> >> >
>> >> > Syscheck seems to be very buggy, unless I am doing something wrong.
>> >> > There is
>> >> > a directory on my agent that should never ever change - c:\lou. There
>> >> > is
>> >> > a
>> >> > log dir within that dir which changes and should be ignored. I added
>> >> > this to
>> >> > that agents ossec config:
>> >> >
>> >> > <ossec_config>
>> >> >  <syscheck>
>> >> >    <alert_new_files>yes</alert_new_files>
>> >> >    <directories realtime="yes" report_changes="yes"
>> >> > check_all="yes">C:\lou</directories>
>> >> >    <ignore>C:\lou\logs</ignore>
>> >> >   </syscheck>
>> >> > </ossec_config>
>> >> >
>> >> > I restarted ossec and I see the dir being monitored:
>> >> > 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory:
>> >> > 'C:\lou'.
>> >> >
>> >> >
>> >> > I added a rule to my manager's local_rules.xml as a test to alert on
>> >> > new
>> >> > files:
>> >> >
>> >> > <group name="local,">
>> >> >  <rule id="554" level="14" overwrite="yes">
>> >> >   <if_group>syscheck</if_group>
>> >> >   <decoded_as>syscheck_new_entry</decoded_as>
>> >> >   <description>File added to an ossec monitored folder.</description>
>> >> >   <group>syscheck,</group>
>> >> >  </rule>
>> >> > </group>
>> >> >
>> >> > I added a few files to the folder and waited. I did not get any
>> >> > alerts
>> >> > but I
>> >> > did get this in my agents log:
>> >> >
>> >> > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
>> >> > directory:
>> >> > '/var/ossec/queue/diff/local/:\lou'
>> >> > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file:
>> >> > 'C:\lou/delmetest.txt'.
>> >> > 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
>> >> > directory:
>> >> > '/var/ossec/queue/diff/local/:\lou'
>> >> > 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file:
>> >> > 'C:\lou/delme2.txt'.
>> >> > 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan.
>> >> >
>> >> > Does anyone see an issue with my config? Ossec knows that those are
>> >> > new
>> >> > files, why do I not get an alert? Why is my windows ossec install
>> >> > looking
>> >> > for the /var dir? Any help is greatly appreciated.
>> >>
>> >> Did you set alert_new_files on the server? It doesn't mean anything on
>> >> the agent.
>> >> I don't know if report_changes works on Windows. I didn't think so,
>> >> but I could be wrong.

Reply via email to