On Wed, Dec 19, 2012 at 11:32 AM, Lou Silverman <[email protected]> wrote: > Here is a snippet of my config: > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 20 hours. It doesn't need to be higher > - on most systems and one a day should be enough. > --> > <frequency>7200</frequency> > > <!-- By default it is disabled. In the Install you must choose > - to enable it. > --> > <disabled>no</disabled> > > I restart the server and I get Error -- Unable to start OSSEC (check > config). If I change 7200 to 72000 it works. If I change 7200 to 07200 it > also works! However, I am uneasy if it will actually check every 7200s or > will that leading 0 cause problems? I am on windows agent 2.6, are you on > 2.6 or 2.7? > > Thanks > > Lou >
I'm using 2.7. I haven't used 2.6 in ages. Did you get that error message from the ossec.log? > > > > > On 12/19/2012 11:26 AM, dan (ddp) wrote: >> >> On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman >> <[email protected]> wrote: >>> >>> Here is a funky error... I changed my syscheck frequency from 72000s to >>> 7200s and I could not start my agent - I got an error to check my config. >>> Changing it back to 72000 allowed me to start the agent. Any ideas? >>> >>> Thanks >>> >>> Lou >>> >> Nope. Can you provide the exact error? >> >>> >>> On 12/19/2012 11:17 AM, dan (ddp) wrote: >>>> >>>> On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman >>>> <[email protected]> wrote: >>>>> >>>>> It appears you are correct, report_changes is not available on Windows >>>>> OS >>>>> as >>>>> I am no longer getting those errors. >>>>> >>>> Thanks for the update, I'll update the docs. >>>> >>>>> I am now alerting on new files! Now to write the rules for modified >>>>> files >>>>> :) >>>>> If I change the syscheck frequency on my agent, do I have to change it >>>>> on >>>>> the manger as well? What is the difference between changing it on >>>>> either? >>>>> >>>> No, that setting is local. If you change it on the server it will only >>>> affect the server's instance of ossec-syscheckd. >>>> >>>>> You're the best Dan! Thank you for everything. You should have a donate >>>>> button ;) >>>>> >>>>> >>>>> >>>>> On 12/19/2012 10:46 AM, dan (ddp) wrote: >>>>>> >>>>>> On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman >>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> I am adding this now, I will test and let you know my results. >>>>>>> >>>>>>> I thought that the ossec.conf on the manager related to the agent >>>>>>> running >>>>>>> on >>>>>>> the manager doing checks of itself? Similar to the ossec.conf file on >>>>>>> any >>>>>>> agent. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>> It does, but it also governs the alerts it sends out. Agents do not >>>>>> create alerts, only the server. >>>>>> >>>>>>> On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) >>>>>>> wrote: >>>>>>>> >>>>>>>> On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman >>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> I did not set it on the server. Where/how would I do that? >>>>>>>>> >>>>>>>>> Thanks for your quick response!!!! >>>>>>>>> >>>>>>>> In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block. >>>>>>>> >>>>>>>> http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html >>>>>>>> >>>>>>>> >>>>>>>> From one of my ossec.confs: >>>>>>>> >>>>>>>> <syscheck> >>>>>>>> <!-- Frequency that syscheck is executed - default to every >>>>>>>> 22 >>>>>>>> hours >>>>>>>> --> >>>>>>>> <frequency>7200</frequency> >>>>>>>> <alert_new_files>yes</alert_new_files> >>>>>>>> <auto_ignore>no</auto_ignore> >>>>>>>> ... >>>>>>>> </syscheck> >>>>>>>> >>>>>>>>> On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman >>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> Let me start off with I love ossec, It's an amazing product if >>>>>>>>>>> you >>>>>>>>>>> take >>>>>>>>>>> the >>>>>>>>>>> time to learn it and tune it. My manager is a CentOS box and my >>>>>>>>>>> agent >>>>>>>>>>> in >>>>>>>>>>> question is a Win 2003 R2 SP2 box. >>>>>>>>>>> >>>>>>>>>>> Syscheck seems to be very buggy, unless I am doing something >>>>>>>>>>> wrong. >>>>>>>>>>> There is >>>>>>>>>>> a directory on my agent that should never ever change - c:\lou. >>>>>>>>>>> There >>>>>>>>>>> is >>>>>>>>>>> a >>>>>>>>>>> log dir within that dir which changes and should be ignored. I >>>>>>>>>>> added >>>>>>>>>>> this to >>>>>>>>>>> that agents ossec config: >>>>>>>>>>> >>>>>>>>>>> <ossec_config> >>>>>>>>>>> <syscheck> >>>>>>>>>>> <alert_new_files>yes</alert_new_files> >>>>>>>>>>> <directories realtime="yes" report_changes="yes" >>>>>>>>>>> check_all="yes">C:\lou</directories> >>>>>>>>>>> <ignore>C:\lou\logs</ignore> >>>>>>>>>>> </syscheck> >>>>>>>>>>> </ossec_config> >>>>>>>>>>> >>>>>>>>>>> I restarted ossec and I see the dir being monitored: >>>>>>>>>>> 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: >>>>>>>>>>> 'C:\lou'. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I added a rule to my manager's local_rules.xml as a test to alert >>>>>>>>>>> on >>>>>>>>>>> new >>>>>>>>>>> files: >>>>>>>>>>> >>>>>>>>>>> <group name="local,"> >>>>>>>>>>> <rule id="554" level="14" overwrite="yes"> >>>>>>>>>>> <if_group>syscheck</if_group> >>>>>>>>>>> <decoded_as>syscheck_new_entry</decoded_as> >>>>>>>>>>> <description>File added to an ossec monitored >>>>>>>>>>> folder.</description> >>>>>>>>>>> <group>syscheck,</group> >>>>>>>>>>> </rule> >>>>>>>>>>> </group> >>>>>>>>>>> >>>>>>>>>>> I added a few files to the folder and waited. I did not get any >>>>>>>>>>> alerts >>>>>>>>>>> but I >>>>>>>>>>> did get this in my agents log: >>>>>>>>>>> >>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >>>>>>>>>>> directory: >>>>>>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename >>>>>>>>>>> file: >>>>>>>>>>> 'C:\lou/delmetest.txt'. >>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >>>>>>>>>>> directory: >>>>>>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename >>>>>>>>>>> file: >>>>>>>>>>> 'C:\lou/delme2.txt'. >>>>>>>>>>> 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. >>>>>>>>>>> >>>>>>>>>>> Does anyone see an issue with my config? Ossec knows that those >>>>>>>>>>> are >>>>>>>>>>> new >>>>>>>>>>> files, why do I not get an alert? Why is my windows ossec install >>>>>>>>>>> looking >>>>>>>>>>> for the /var dir? Any help is greatly appreciated. >>>>>>>>>> >>>>>>>>>> Did you set alert_new_files on the server? It doesn't mean >>>>>>>>>> anything >>>>>>>>>> on >>>>>>>>>> the agent. >>>>>>>>>> I don't know if report_changes works on Windows. I didn't think >>>>>>>>>> so, >>>>>>>>>> but I could be wrong. >>>>> >>>>> >
