Here is a snippet of my config:
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>7200</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
I restart the server and I get Error -- Unable to start OSSEC (check
config). If I change 7200 to 72000 it works. If I change 7200 to 07200
it also works! However, I am uneasy if it will actually check every
7200s or will that leading 0 cause problems? I am on windows agent 2.6,
are you on 2.6 or 2.7?
Thanks
Lou
On 12/19/2012 11:26 AM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman
<[email protected]> wrote:
Here is a funky error... I changed my syscheck frequency from 72000s to
7200s and I could not start my agent - I got an error to check my config.
Changing it back to 72000 allowed me to start the agent. Any ideas?
Thanks
Lou
Nope. Can you provide the exact error?
On 12/19/2012 11:17 AM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman
<[email protected]> wrote:
It appears you are correct, report_changes is not available on Windows OS
as
I am no longer getting those errors.
Thanks for the update, I'll update the docs.
I am now alerting on new files! Now to write the rules for modified files
:)
If I change the syscheck frequency on my agent, do I have to change it on
the manger as well? What is the difference between changing it on either?
No, that setting is local. If you change it on the server it will only
affect the server's instance of ossec-syscheckd.
You're the best Dan! Thank you for everything. You should have a donate
button ;)
On 12/19/2012 10:46 AM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman
<[email protected]> wrote:
I am adding this now, I will test and let you know my results.
I thought that the ossec.conf on the manager related to the agent
running
on
the manager doing checks of itself? Similar to the ossec.conf file on
any
agent.
Thanks
It does, but it also governs the alerts it sends out. Agents do not
create alerts, only the server.
On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) wrote:
On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman
<[email protected]> wrote:
I did not set it on the server. Where/how would I do that?
Thanks for your quick response!!!!
In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block.
http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html
From one of my ossec.confs:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22
hours
-->
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
...
</syscheck>
On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd)
wrote:
On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman
<[email protected]> wrote:
Let me start off with I love ossec, It's an amazing product if you
take
the
time to learn it and tune it. My manager is a CentOS box and my
agent
in
question is a Win 2003 R2 SP2 box.
Syscheck seems to be very buggy, unless I am doing something wrong.
There is
a directory on my agent that should never ever change - c:\lou.
There
is
a
log dir within that dir which changes and should be ignored. I
added
this to
that agents ossec config:
<ossec_config>
<syscheck>
<alert_new_files>yes</alert_new_files>
<directories realtime="yes" report_changes="yes"
check_all="yes">C:\lou</directories>
<ignore>C:\lou\logs</ignore>
</syscheck>
</ossec_config>
I restarted ossec and I see the dir being monitored:
2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory:
'C:\lou'.
I added a rule to my manager's local_rules.xml as a test to alert
on
new
files:
<group name="local,">
<rule id="554" level="14" overwrite="yes">
<if_group>syscheck</if_group>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to an ossec monitored
folder.</description>
<group>syscheck,</group>
</rule>
</group>
I added a few files to the folder and waited. I did not get any
alerts
but I
did get this in my agents log:
2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
directory:
'/var/ossec/queue/diff/local/:\lou'
2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename
file:
'C:\lou/delmetest.txt'.
2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
directory:
'/var/ossec/queue/diff/local/:\lou'
2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename
file:
'C:\lou/delme2.txt'.
2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan.
Does anyone see an issue with my config? Ossec knows that those are
new
files, why do I not get an alert? Why is my windows ossec install
looking
for the /var dir? Any help is greatly appreciated.
Did you set alert_new_files on the server? It doesn't mean anything
on
the agent.
I don't know if report_changes works on Windows. I didn't think so,
but I could be wrong.
