On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman <[email protected]> wrote: > Here is a funky error... I changed my syscheck frequency from 72000s to > 7200s and I could not start my agent - I got an error to check my config. > Changing it back to 72000 allowed me to start the agent. Any ideas? > > Thanks > > Lou >
Nope. Can you provide the exact error? > > > On 12/19/2012 11:17 AM, dan (ddp) wrote: >> >> On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman >> <[email protected]> wrote: >>> >>> It appears you are correct, report_changes is not available on Windows OS >>> as >>> I am no longer getting those errors. >>> >> Thanks for the update, I'll update the docs. >> >>> I am now alerting on new files! Now to write the rules for modified files >>> :) >>> If I change the syscheck frequency on my agent, do I have to change it on >>> the manger as well? What is the difference between changing it on either? >>> >> No, that setting is local. If you change it on the server it will only >> affect the server's instance of ossec-syscheckd. >> >>> You're the best Dan! Thank you for everything. You should have a donate >>> button ;) >>> >>> >>> >>> On 12/19/2012 10:46 AM, dan (ddp) wrote: >>>> >>>> On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman >>>> <[email protected]> wrote: >>>>> >>>>> I am adding this now, I will test and let you know my results. >>>>> >>>>> I thought that the ossec.conf on the manager related to the agent >>>>> running >>>>> on >>>>> the manager doing checks of itself? Similar to the ossec.conf file on >>>>> any >>>>> agent. >>>>> >>>>> Thanks >>>>> >>>>> >>>> It does, but it also governs the alerts it sends out. Agents do not >>>> create alerts, only the server. >>>> >>>>> On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) wrote: >>>>>> >>>>>> On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman >>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> I did not set it on the server. Where/how would I do that? >>>>>>> >>>>>>> Thanks for your quick response!!!! >>>>>>> >>>>>> In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block. >>>>>> >>>>>> http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html >>>>>> >>>>>> >>>>>> From one of my ossec.confs: >>>>>> >>>>>> <syscheck> >>>>>> <!-- Frequency that syscheck is executed - default to every 22 >>>>>> hours >>>>>> --> >>>>>> <frequency>7200</frequency> >>>>>> <alert_new_files>yes</alert_new_files> >>>>>> <auto_ignore>no</auto_ignore> >>>>>> ... >>>>>> </syscheck> >>>>>> >>>>>>> On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) >>>>>>> wrote: >>>>>>>> >>>>>>>> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman >>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> Let me start off with I love ossec, It's an amazing product if you >>>>>>>>> take >>>>>>>>> the >>>>>>>>> time to learn it and tune it. My manager is a CentOS box and my >>>>>>>>> agent >>>>>>>>> in >>>>>>>>> question is a Win 2003 R2 SP2 box. >>>>>>>>> >>>>>>>>> Syscheck seems to be very buggy, unless I am doing something wrong. >>>>>>>>> There is >>>>>>>>> a directory on my agent that should never ever change - c:\lou. >>>>>>>>> There >>>>>>>>> is >>>>>>>>> a >>>>>>>>> log dir within that dir which changes and should be ignored. I >>>>>>>>> added >>>>>>>>> this to >>>>>>>>> that agents ossec config: >>>>>>>>> >>>>>>>>> <ossec_config> >>>>>>>>> <syscheck> >>>>>>>>> <alert_new_files>yes</alert_new_files> >>>>>>>>> <directories realtime="yes" report_changes="yes" >>>>>>>>> check_all="yes">C:\lou</directories> >>>>>>>>> <ignore>C:\lou\logs</ignore> >>>>>>>>> </syscheck> >>>>>>>>> </ossec_config> >>>>>>>>> >>>>>>>>> I restarted ossec and I see the dir being monitored: >>>>>>>>> 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: >>>>>>>>> 'C:\lou'. >>>>>>>>> >>>>>>>>> >>>>>>>>> I added a rule to my manager's local_rules.xml as a test to alert >>>>>>>>> on >>>>>>>>> new >>>>>>>>> files: >>>>>>>>> >>>>>>>>> <group name="local,"> >>>>>>>>> <rule id="554" level="14" overwrite="yes"> >>>>>>>>> <if_group>syscheck</if_group> >>>>>>>>> <decoded_as>syscheck_new_entry</decoded_as> >>>>>>>>> <description>File added to an ossec monitored >>>>>>>>> folder.</description> >>>>>>>>> <group>syscheck,</group> >>>>>>>>> </rule> >>>>>>>>> </group> >>>>>>>>> >>>>>>>>> I added a few files to the folder and waited. I did not get any >>>>>>>>> alerts >>>>>>>>> but I >>>>>>>>> did get this in my agents log: >>>>>>>>> >>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >>>>>>>>> directory: >>>>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename >>>>>>>>> file: >>>>>>>>> 'C:\lou/delmetest.txt'. >>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >>>>>>>>> directory: >>>>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename >>>>>>>>> file: >>>>>>>>> 'C:\lou/delme2.txt'. >>>>>>>>> 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. >>>>>>>>> >>>>>>>>> Does anyone see an issue with my config? Ossec knows that those are >>>>>>>>> new >>>>>>>>> files, why do I not get an alert? Why is my windows ossec install >>>>>>>>> looking >>>>>>>>> for the /var dir? Any help is greatly appreciated. >>>>>>>> >>>>>>>> Did you set alert_new_files on the server? It doesn't mean anything >>>>>>>> on >>>>>>>> the agent. >>>>>>>> I don't know if report_changes works on Windows. I didn't think so, >>>>>>>> but I could be wrong. >>> >>> >
