Here is a funky error... I changed my syscheck frequency from 72000s to
7200s and I could not start my agent - I got an error to check my
config. Changing it back to 72000 allowed me to start the agent. Any ideas?
Thanks
On 12/19/2012 11:19 AM, dan (ddp) wrote:
---------- Forwarded message ----------
From: dan (ddp) <[email protected]>
Date: Wed, Dec 19, 2012 at 11:17 AM
Subject: Re: [ossec-list] syscheck errors - Unable to create directory
and Unable to rename file
To: Lou Silverman <[email protected]>
On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman
<[email protected]> wrote:
It appears you are correct, report_changes is not available on Windows OS as
I am no longer getting those errors.
Thanks for the update, I'll update the docs.
I am now alerting on new files! Now to write the rules for modified files :)
If I change the syscheck frequency on my agent, do I have to change it on
the manger as well? What is the difference between changing it on either?
No, that setting is local. If you change it on the server it will only
affect the server's instance of ossec-syscheckd.
You're the best Dan! Thank you for everything. You should have a donate
button ;)
On 12/19/2012 10:46 AM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman
<[email protected]> wrote:
I am adding this now, I will test and let you know my results.
I thought that the ossec.conf on the manager related to the agent running
on
the manager doing checks of itself? Similar to the ossec.conf file on any
agent.
Thanks
It does, but it also governs the alerts it sends out. Agents do not
create alerts, only the server.
On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) wrote:
On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman
<[email protected]> wrote:
I did not set it on the server. Where/how would I do that?
Thanks for your quick response!!!!
In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block.
http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html
From one of my ossec.confs:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22
hours
-->
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
...
</syscheck>
On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) wrote:
On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman
<[email protected]> wrote:
Let me start off with I love ossec, It's an amazing product if you
take
the
time to learn it and tune it. My manager is a CentOS box and my agent
in
question is a Win 2003 R2 SP2 box.
Syscheck seems to be very buggy, unless I am doing something wrong.
There is
a directory on my agent that should never ever change - c:\lou. There
is
a
log dir within that dir which changes and should be ignored. I added
this to
that agents ossec config:
<ossec_config>
<syscheck>
<alert_new_files>yes</alert_new_files>
<directories realtime="yes" report_changes="yes"
check_all="yes">C:\lou</directories>
<ignore>C:\lou\logs</ignore>
</syscheck>
</ossec_config>
I restarted ossec and I see the dir being monitored:
2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory:
'C:\lou'.
I added a rule to my manager's local_rules.xml as a test to alert on
new
files:
<group name="local,">
<rule id="554" level="14" overwrite="yes">
<if_group>syscheck</if_group>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to an ossec monitored
folder.</description>
<group>syscheck,</group>
</rule>
</group>
I added a few files to the folder and waited. I did not get any
alerts
but I
did get this in my agents log:
2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
directory:
'/var/ossec/queue/diff/local/:\lou'
2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file:
'C:\lou/delmetest.txt'.
2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
directory:
'/var/ossec/queue/diff/local/:\lou'
2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file:
'C:\lou/delme2.txt'.
2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan.
Does anyone see an issue with my config? Ossec knows that those are
new
files, why do I not get an alert? Why is my windows ossec install
looking
for the /var dir? Any help is greatly appreciated.
Did you set alert_new_files on the server? It doesn't mean anything on
the agent.
I don't know if report_changes works on Windows. I didn't think so,
but I could be wrong.
