Correction to my previous post, it prevented me from starting the agent.
When I change 07200 to 7200, the server IP disappears from the box. when
I add it and hit SAVE, i get a popup with this error:
Unable to set OSSEC server IP Address. Internal error on the XML write.
There are no errors in ossec.log
Changing it back to 07200 allows me to save the server IP and start the
agent.
Thanks
On 12/19/2012 12:22 PM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 12:12 PM, Lou Silverman
<[email protected]> wrote:
I got the error when trying to start my agent. It popped up preventing me
from starting the server. When I installed 2.6, 2.7 was still a beta. Can I
use a version 2.7 agent with a 2.6 server?
Thanks
Lou
No, they should be kept in sync if possible, and the agent should
never be a higher version than the server.
Check the ossec.log to see if there is a more detailed error. Changing
the frequency shouldn't be an issue.
I remember there was a problem with the path to ossec-logtest in the
ossec-control script that caused an error like this. It didn't stop
anything from working, it was just annoying.
On 12/19/2012 11:34 AM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 11:32 AM, Lou Silverman
<[email protected]> wrote:
Here is a snippet of my config:
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>7200</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
I restart the server and I get Error -- Unable to start OSSEC (check
config). If I change 7200 to 72000 it works. If I change 7200 to 07200 it
also works! However, I am uneasy if it will actually check every 7200s or
will that leading 0 cause problems? I am on windows agent 2.6, are you on
2.6 or 2.7?
Thanks
Lou
I'm using 2.7. I haven't used 2.6 in ages. Did you get that error
message from the ossec.log?
On 12/19/2012 11:26 AM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman
<[email protected]> wrote:
Here is a funky error... I changed my syscheck frequency from 72000s to
7200s and I could not start my agent - I got an error to check my
config.
Changing it back to 72000 allowed me to start the agent. Any ideas?
Thanks
Lou
Nope. Can you provide the exact error?
On 12/19/2012 11:17 AM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman
<[email protected]> wrote:
It appears you are correct, report_changes is not available on
Windows
OS
as
I am no longer getting those errors.
Thanks for the update, I'll update the docs.
I am now alerting on new files! Now to write the rules for modified
files
:)
If I change the syscheck frequency on my agent, do I have to change
it
on
the manger as well? What is the difference between changing it on
either?
No, that setting is local. If you change it on the server it will only
affect the server's instance of ossec-syscheckd.
You're the best Dan! Thank you for everything. You should have a
donate
button ;)
On 12/19/2012 10:46 AM, dan (ddp) wrote:
On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman
<[email protected]> wrote:
I am adding this now, I will test and let you know my results.
I thought that the ossec.conf on the manager related to the agent
running
on
the manager doing checks of itself? Similar to the ossec.conf file
on
any
agent.
Thanks
It does, but it also governs the alerts it sends out. Agents do not
create alerts, only the server.
On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd)
wrote:
On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman
<[email protected]> wrote:
I did not set it on the server. Where/how would I do that?
Thanks for your quick response!!!!
In the server's /var/ossec/etc/ossec.conf, in the <syscheck>
block.
http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html
From one of my ossec.confs:
<syscheck>
<!-- Frequency that syscheck is executed - default to
every
22
hours
-->
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
...
</syscheck>
On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd)
wrote:
On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman
<[email protected]> wrote:
Let me start off with I love ossec, It's an amazing product if
you
take
the
time to learn it and tune it. My manager is a CentOS box and my
agent
in
question is a Win 2003 R2 SP2 box.
Syscheck seems to be very buggy, unless I am doing something
wrong.
There is
a directory on my agent that should never ever change - c:\lou.
There
is
a
log dir within that dir which changes and should be ignored. I
added
this to
that agents ossec config:
<ossec_config>
<syscheck>
<alert_new_files>yes</alert_new_files>
<directories realtime="yes" report_changes="yes"
check_all="yes">C:\lou</directories>
<ignore>C:\lou\logs</ignore>
</syscheck>
</ossec_config>
I restarted ossec and I see the dir being monitored:
2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory:
'C:\lou'.
I added a rule to my manager's local_rules.xml as a test to
alert
on
new
files:
<group name="local,">
<rule id="554" level="14" overwrite="yes">
<if_group>syscheck</if_group>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to an ossec monitored
folder.</description>
<group>syscheck,</group>
</rule>
</group>
I added a few files to the folder and waited. I did not get any
alerts
but I
did get this in my agents log:
2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
directory:
'/var/ossec/queue/diff/local/:\lou'
2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename
file:
'C:\lou/delmetest.txt'.
2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create
directory:
'/var/ossec/queue/diff/local/:\lou'
2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename
file:
'C:\lou/delme2.txt'.
2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan.
Does anyone see an issue with my config? Ossec knows that those
are
new
files, why do I not get an alert? Why is my windows ossec
install
looking
for the /var dir? Any help is greatly appreciated.
Did you set alert_new_files on the server? It doesn't mean
anything
on
the agent.
I don't know if report_changes works on Windows. I didn't think
so,
but I could be wrong.
