On Wed, Dec 19, 2012 at 12:12 PM, Lou Silverman <[email protected]> wrote: > I got the error when trying to start my agent. It popped up preventing me > from starting the server. When I installed 2.6, 2.7 was still a beta. Can I > use a version 2.7 agent with a 2.6 server? > > Thanks > > Lou >
No, they should be kept in sync if possible, and the agent should never be a higher version than the server. Check the ossec.log to see if there is a more detailed error. Changing the frequency shouldn't be an issue. I remember there was a problem with the path to ossec-logtest in the ossec-control script that caused an error like this. It didn't stop anything from working, it was just annoying. > > > On 12/19/2012 11:34 AM, dan (ddp) wrote: >> >> On Wed, Dec 19, 2012 at 11:32 AM, Lou Silverman >> <[email protected]> wrote: >>> >>> Here is a snippet of my config: >>> >>> <!-- Syscheck - Integrity Checking config. --> >>> <syscheck> >>> >>> <!-- Default frequency, every 20 hours. It doesn't need to be higher >>> - on most systems and one a day should be enough. >>> --> >>> <frequency>7200</frequency> >>> >>> <!-- By default it is disabled. In the Install you must choose >>> - to enable it. >>> --> >>> <disabled>no</disabled> >>> >>> I restart the server and I get Error -- Unable to start OSSEC (check >>> config). If I change 7200 to 72000 it works. If I change 7200 to 07200 it >>> also works! However, I am uneasy if it will actually check every 7200s or >>> will that leading 0 cause problems? I am on windows agent 2.6, are you on >>> 2.6 or 2.7? >>> >>> Thanks >>> >>> Lou >>> >> I'm using 2.7. I haven't used 2.6 in ages. Did you get that error >> message from the ossec.log? >> >>> >>> >>> >>> On 12/19/2012 11:26 AM, dan (ddp) wrote: >>>> >>>> On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman >>>> <[email protected]> wrote: >>>>> >>>>> Here is a funky error... I changed my syscheck frequency from 72000s to >>>>> 7200s and I could not start my agent - I got an error to check my >>>>> config. >>>>> Changing it back to 72000 allowed me to start the agent. Any ideas? >>>>> >>>>> Thanks >>>>> >>>>> Lou >>>>> >>>> Nope. Can you provide the exact error? >>>> >>>>> On 12/19/2012 11:17 AM, dan (ddp) wrote: >>>>>> >>>>>> On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman >>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> It appears you are correct, report_changes is not available on >>>>>>> Windows >>>>>>> OS >>>>>>> as >>>>>>> I am no longer getting those errors. >>>>>>> >>>>>> Thanks for the update, I'll update the docs. >>>>>> >>>>>>> I am now alerting on new files! Now to write the rules for modified >>>>>>> files >>>>>>> :) >>>>>>> If I change the syscheck frequency on my agent, do I have to change >>>>>>> it >>>>>>> on >>>>>>> the manger as well? What is the difference between changing it on >>>>>>> either? >>>>>>> >>>>>> No, that setting is local. If you change it on the server it will only >>>>>> affect the server's instance of ossec-syscheckd. >>>>>> >>>>>>> You're the best Dan! Thank you for everything. You should have a >>>>>>> donate >>>>>>> button ;) >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 12/19/2012 10:46 AM, dan (ddp) wrote: >>>>>>>> >>>>>>>> On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman >>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> I am adding this now, I will test and let you know my results. >>>>>>>>> >>>>>>>>> I thought that the ossec.conf on the manager related to the agent >>>>>>>>> running >>>>>>>>> on >>>>>>>>> the manager doing checks of itself? Similar to the ossec.conf file >>>>>>>>> on >>>>>>>>> any >>>>>>>>> agent. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> >>>>>>>> It does, but it also governs the alerts it sends out. Agents do not >>>>>>>> create alerts, only the server. >>>>>>>> >>>>>>>>> On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman >>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> I did not set it on the server. Where/how would I do that? >>>>>>>>>>> >>>>>>>>>>> Thanks for your quick response!!!! >>>>>>>>>>> >>>>>>>>>> In the server's /var/ossec/etc/ossec.conf, in the <syscheck> >>>>>>>>>> block. >>>>>>>>>> >>>>>>>>>> http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> From one of my ossec.confs: >>>>>>>>>> >>>>>>>>>> <syscheck> >>>>>>>>>> <!-- Frequency that syscheck is executed - default to >>>>>>>>>> every >>>>>>>>>> 22 >>>>>>>>>> hours >>>>>>>>>> --> >>>>>>>>>> <frequency>7200</frequency> >>>>>>>>>> <alert_new_files>yes</alert_new_files> >>>>>>>>>> <auto_ignore>no</auto_ignore> >>>>>>>>>> ... >>>>>>>>>> </syscheck> >>>>>>>>>> >>>>>>>>>>> On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman >>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Let me start off with I love ossec, It's an amazing product if >>>>>>>>>>>>> you >>>>>>>>>>>>> take >>>>>>>>>>>>> the >>>>>>>>>>>>> time to learn it and tune it. My manager is a CentOS box and my >>>>>>>>>>>>> agent >>>>>>>>>>>>> in >>>>>>>>>>>>> question is a Win 2003 R2 SP2 box. >>>>>>>>>>>>> >>>>>>>>>>>>> Syscheck seems to be very buggy, unless I am doing something >>>>>>>>>>>>> wrong. >>>>>>>>>>>>> There is >>>>>>>>>>>>> a directory on my agent that should never ever change - c:\lou. >>>>>>>>>>>>> There >>>>>>>>>>>>> is >>>>>>>>>>>>> a >>>>>>>>>>>>> log dir within that dir which changes and should be ignored. I >>>>>>>>>>>>> added >>>>>>>>>>>>> this to >>>>>>>>>>>>> that agents ossec config: >>>>>>>>>>>>> >>>>>>>>>>>>> <ossec_config> >>>>>>>>>>>>> <syscheck> >>>>>>>>>>>>> <alert_new_files>yes</alert_new_files> >>>>>>>>>>>>> <directories realtime="yes" report_changes="yes" >>>>>>>>>>>>> check_all="yes">C:\lou</directories> >>>>>>>>>>>>> <ignore>C:\lou\logs</ignore> >>>>>>>>>>>>> </syscheck> >>>>>>>>>>>>> </ossec_config> >>>>>>>>>>>>> >>>>>>>>>>>>> I restarted ossec and I see the dir being monitored: >>>>>>>>>>>>> 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: >>>>>>>>>>>>> 'C:\lou'. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I added a rule to my manager's local_rules.xml as a test to >>>>>>>>>>>>> alert >>>>>>>>>>>>> on >>>>>>>>>>>>> new >>>>>>>>>>>>> files: >>>>>>>>>>>>> >>>>>>>>>>>>> <group name="local,"> >>>>>>>>>>>>> <rule id="554" level="14" overwrite="yes"> >>>>>>>>>>>>> <if_group>syscheck</if_group> >>>>>>>>>>>>> <decoded_as>syscheck_new_entry</decoded_as> >>>>>>>>>>>>> <description>File added to an ossec monitored >>>>>>>>>>>>> folder.</description> >>>>>>>>>>>>> <group>syscheck,</group> >>>>>>>>>>>>> </rule> >>>>>>>>>>>>> </group> >>>>>>>>>>>>> >>>>>>>>>>>>> I added a few files to the folder and waited. I did not get any >>>>>>>>>>>>> alerts >>>>>>>>>>>>> but I >>>>>>>>>>>>> did get this in my agents log: >>>>>>>>>>>>> >>>>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >>>>>>>>>>>>> directory: >>>>>>>>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename >>>>>>>>>>>>> file: >>>>>>>>>>>>> 'C:\lou/delmetest.txt'. >>>>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create >>>>>>>>>>>>> directory: >>>>>>>>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename >>>>>>>>>>>>> file: >>>>>>>>>>>>> 'C:\lou/delme2.txt'. >>>>>>>>>>>>> 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. >>>>>>>>>>>>> >>>>>>>>>>>>> Does anyone see an issue with my config? Ossec knows that those >>>>>>>>>>>>> are >>>>>>>>>>>>> new >>>>>>>>>>>>> files, why do I not get an alert? Why is my windows ossec >>>>>>>>>>>>> install >>>>>>>>>>>>> looking >>>>>>>>>>>>> for the /var dir? Any help is greatly appreciated. >>>>>>>>>>>> >>>>>>>>>>>> Did you set alert_new_files on the server? It doesn't mean >>>>>>>>>>>> anything >>>>>>>>>>>> on >>>>>>>>>>>> the agent. >>>>>>>>>>>> I don't know if report_changes works on Windows. I didn't think >>>>>>>>>>>> so, >>>>>>>>>>>> but I could be wrong. >>>>>>> >>>>>>> >
