---------- Forwarded message ---------- From: dan (ddp) <[email protected]> Date: Wed, Dec 19, 2012 at 11:17 AM Subject: Re: [ossec-list] syscheck errors - Unable to create directory and Unable to rename file To: Lou Silverman <[email protected]>
On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman <[email protected]> wrote: > It appears you are correct, report_changes is not available on Windows OS as > I am no longer getting those errors. > Thanks for the update, I'll update the docs. > I am now alerting on new files! Now to write the rules for modified files :) > If I change the syscheck frequency on my agent, do I have to change it on > the manger as well? What is the difference between changing it on either? > No, that setting is local. If you change it on the server it will only affect the server's instance of ossec-syscheckd. > You're the best Dan! Thank you for everything. You should have a donate > button ;) > > > > On 12/19/2012 10:46 AM, dan (ddp) wrote: >> >> On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman >> <[email protected]> wrote: >>> >>> I am adding this now, I will test and let you know my results. >>> >>> I thought that the ossec.conf on the manager related to the agent running >>> on >>> the manager doing checks of itself? Similar to the ossec.conf file on any >>> agent. >>> >>> Thanks >>> >>> >> It does, but it also governs the alerts it sends out. Agents do not >> create alerts, only the server. >> >>> On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) wrote: >>>> >>>> On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman >>>> <[email protected]> wrote: >>>>> >>>>> I did not set it on the server. Where/how would I do that? >>>>> >>>>> Thanks for your quick response!!!! >>>>> >>>> In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block. >>>> >>>> http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html >>>> >>>> >>>> From one of my ossec.confs: >>>> >>>> <syscheck> >>>> <!-- Frequency that syscheck is executed - default to every 22 >>>> hours >>>> --> >>>> <frequency>7200</frequency> >>>> <alert_new_files>yes</alert_new_files> >>>> <auto_ignore>no</auto_ignore> >>>> ... >>>> </syscheck> >>>> >>>>> >>>>> On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) wrote: >>>>>> >>>>>> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman >>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> Let me start off with I love ossec, It's an amazing product if you >>>>>>> take >>>>>>> the >>>>>>> time to learn it and tune it. My manager is a CentOS box and my agent >>>>>>> in >>>>>>> question is a Win 2003 R2 SP2 box. >>>>>>> >>>>>>> Syscheck seems to be very buggy, unless I am doing something wrong. >>>>>>> There is >>>>>>> a directory on my agent that should never ever change - c:\lou. There >>>>>>> is >>>>>>> a >>>>>>> log dir within that dir which changes and should be ignored. I added >>>>>>> this to >>>>>>> that agents ossec config: >>>>>>> >>>>>>> <ossec_config> >>>>>>> <syscheck> >>>>>>> <alert_new_files>yes</alert_new_files> >>>>>>> <directories realtime="yes" report_changes="yes" >>>>>>> check_all="yes">C:\lou</directories> >>>>>>> <ignore>C:\lou\logs</ignore> >>>>>>> </syscheck> >>>>>>> </ossec_config> >>>>>>> >>>>>>> I restarted ossec and I see the dir being monitored: >>>>>>> 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: >>>>>>> 'C:\lou'. >>>>>>> >>>>>>> >>>>>>> I added a rule to my manager's local_rules.xml as a test to alert on >>>>>>> new >>>>>>> files: >>>>>>> >>>>>>> <group name="local,"> >>>>>>> <rule id="554" level="14" overwrite="yes"> >>>>>>> <if_group>syscheck</if_group> >>>>>>> <decoded_as>syscheck_new_entry</decoded_as> >>>>>>> <description>File added to an ossec monitored >>>>>>> folder.</description> >>>>>>> <group>syscheck,</group> >>>>>>> </rule> >>>>>>> </group> >>>>>>> >>>>>>> I added a few files to the folder and waited. I did not get any >>>>>>> alerts >>>>>>> but I >>>>>>> did get this in my agents log: >>>>>>> >>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >>>>>>> directory: >>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: >>>>>>> 'C:\lou/delmetest.txt'. >>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >>>>>>> directory: >>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file: >>>>>>> 'C:\lou/delme2.txt'. >>>>>>> 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. >>>>>>> >>>>>>> Does anyone see an issue with my config? Ossec knows that those are >>>>>>> new >>>>>>> files, why do I not get an alert? Why is my windows ossec install >>>>>>> looking >>>>>>> for the /var dir? Any help is greatly appreciated. >>>>>> >>>>>> Did you set alert_new_files on the server? It doesn't mean anything on >>>>>> the agent. >>>>>> I don't know if report_changes works on Windows. I didn't think so, >>>>>> but I could be wrong. > >
