On Wed, Dec 19, 2012 at 11:26 AM, dan (ddp) <[email protected]> wrote:
> On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman
> <[email protected]> wrote:
>> Here is a funky error... I changed my syscheck frequency from 72000s to
>> 7200s and I could not start my agent - I got an error to check my config.
>> Changing it back to 72000 allowed me to start the agent. Any ideas?
>>
>> Thanks
>>
>> Lou
>>
>
> Nope. Can you provide the exact error?
>
I just checked one of my agents and it's set to 7200:
<syscheck>
<frequency>7200</frequency>
...
</syscheck>
>>
>>
>> On 12/19/2012 11:17 AM, dan (ddp) wrote:
>>>
>>> On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman
>>> <[email protected]> wrote:
>>>>
>>>> It appears you are correct, report_changes is not available on Windows OS
>>>> as
>>>> I am no longer getting those errors.
>>>>
>>> Thanks for the update, I'll update the docs.
>>>
>>>> I am now alerting on new files! Now to write the rules for modified files
>>>> :)
>>>> If I change the syscheck frequency on my agent, do I have to change it on
>>>> the manger as well? What is the difference between changing it on either?
>>>>
>>> No, that setting is local. If you change it on the server it will only
>>> affect the server's instance of ossec-syscheckd.
>>>
>>>> You're the best Dan! Thank you for everything. You should have a donate
>>>> button ;)
>>>>
>>>>
>>>>
>>>> On 12/19/2012 10:46 AM, dan (ddp) wrote:
>>>>>
>>>>> On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman
>>>>> <[email protected]> wrote:
>>>>>>
>>>>>> I am adding this now, I will test and let you know my results.
>>>>>>
>>>>>> I thought that the ossec.conf on the manager related to the agent
>>>>>> running
>>>>>> on
>>>>>> the manager doing checks of itself? Similar to the ossec.conf file on
>>>>>> any
>>>>>> agent.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>> It does, but it also governs the alerts it sends out. Agents do not
>>>>> create alerts, only the server.
>>>>>
>>>>>> On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) wrote:
>>>>>>>
>>>>>>> On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman
>>>>>>> <[email protected]> wrote:
>>>>>>>>
>>>>>>>> I did not set it on the server. Where/how would I do that?
>>>>>>>>
>>>>>>>> Thanks for your quick response!!!!
>>>>>>>>
>>>>>>> In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block.
>>>>>>>
>>>>>>> http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html
>>>>>>>
>>>>>>>
>>>>>>> From one of my ossec.confs:
>>>>>>>
>>>>>>> <syscheck>
>>>>>>> <!-- Frequency that syscheck is executed - default to every 22
>>>>>>> hours
>>>>>>> -->
>>>>>>> <frequency>7200</frequency>
>>>>>>> <alert_new_files>yes</alert_new_files>
>>>>>>> <auto_ignore>no</auto_ignore>
>>>>>>> ...
>>>>>>> </syscheck>
>>>>>>>
>>>>>>>> On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd)
>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman
>>>>>>>>> <[email protected]> wrote:
>>>>>>>>>>
>>>>>>>>>> Let me start off with I love ossec, It's an amazing product if you
>>>>>>>>>> take
>>>>>>>>>> the
>>>>>>>>>> time to learn it and tune it. My manager is a CentOS box and my
>>>>>>>>>> agent
>>>>>>>>>> in
>>>>>>>>>> question is a Win 2003 R2 SP2 box.
>>>>>>>>>>
>>>>>>>>>> Syscheck seems to be very buggy, unless I am doing something wrong.
>>>>>>>>>> There is
>>>>>>>>>> a directory on my agent that should never ever change - c:\lou.
>>>>>>>>>> There
>>>>>>>>>> is
>>>>>>>>>> a
>>>>>>>>>> log dir within that dir which changes and should be ignored. I
>>>>>>>>>> added
>>>>>>>>>> this to
>>>>>>>>>> that agents ossec config:
>>>>>>>>>>
>>>>>>>>>> <ossec_config>
>>>>>>>>>> <syscheck>
>>>>>>>>>> <alert_new_files>yes</alert_new_files>
>>>>>>>>>> <directories realtime="yes" report_changes="yes"
>>>>>>>>>> check_all="yes">C:\lou</directories>
>>>>>>>>>> <ignore>C:\lou\logs</ignore>
>>>>>>>>>> </syscheck>
>>>>>>>>>> </ossec_config>
>>>>>>>>>>
>>>>>>>>>> I restarted ossec and I see the dir being monitored:
>>>>>>>>>> 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory:
>>>>>>>>>> 'C:\lou'.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I added a rule to my manager's local_rules.xml as a test to alert
>>>>>>>>>> on
>>>>>>>>>> new
>>>>>>>>>> files:
>>>>>>>>>>
>>>>>>>>>> <group name="local,">
>>>>>>>>>> <rule id="554" level="14" overwrite="yes">
>>>>>>>>>> <if_group>syscheck</if_group>
>>>>>>>>>> <decoded_as>syscheck_new_entry</decoded_as>
>>>>>>>>>> <description>File added to an ossec monitored
>>>>>>>>>> folder.</description>
>>>>>>>>>> <group>syscheck,</group>
>>>>>>>>>> </rule>
>>>>>>>>>> </group>
>>>>>>>>>>
>>>>>>>>>> I added a few files to the folder and waited. I did not get any
>>>>>>>>>> alerts
>>>>>>>>>> but I
>>>>>>>>>> did get this in my agents log:
>>>>>>>>>>
>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
>>>>>>>>>> directory:
>>>>>>>>>> '/var/ossec/queue/diff/local/:\lou'
>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename
>>>>>>>>>> file:
>>>>>>>>>> 'C:\lou/delmetest.txt'.
>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
>>>>>>>>>> directory:
>>>>>>>>>> '/var/ossec/queue/diff/local/:\lou'
>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename
>>>>>>>>>> file:
>>>>>>>>>> 'C:\lou/delme2.txt'.
>>>>>>>>>> 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan.
>>>>>>>>>>
>>>>>>>>>> Does anyone see an issue with my config? Ossec knows that those are
>>>>>>>>>> new
>>>>>>>>>> files, why do I not get an alert? Why is my windows ossec install
>>>>>>>>>> looking
>>>>>>>>>> for the /var dir? Any help is greatly appreciated.
>>>>>>>>>
>>>>>>>>> Did you set alert_new_files on the server? It doesn't mean anything
>>>>>>>>> on
>>>>>>>>> the agent.
>>>>>>>>> I don't know if report_changes works on Windows. I didn't think so,
>>>>>>>>> but I could be wrong.
>>>>
>>>>
>>
