On Wed, Dec 19, 2012 at 12:35 PM, Lou Silverman <[email protected]> wrote: > Correction to my previous post, it prevented me from starting the agent. > > When I change 07200 to 7200, the server IP disappears from the box. when I > add it and hit SAVE, i get a popup with this error: > > Unable to set OSSEC server IP Address. Internal error on the XML write. > > There are no errors in ossec.log > > Changing it back to 07200 allows me to save the server IP and start the > agent. > > Thanks >
I have no clue. That's odd. notepad shouldn't be taking things out of the file that you aren't directly editing. Maybe someone else (with more Windows experience) has seen this? > > > On 12/19/2012 12:22 PM, dan (ddp) wrote: >> >> On Wed, Dec 19, 2012 at 12:12 PM, Lou Silverman >> <[email protected]> wrote: >>> >>> I got the error when trying to start my agent. It popped up preventing me >>> from starting the server. When I installed 2.6, 2.7 was still a beta. Can >>> I >>> use a version 2.7 agent with a 2.6 server? >>> >>> Thanks >>> >>> Lou >>> >> No, they should be kept in sync if possible, and the agent should >> never be a higher version than the server. >> >> Check the ossec.log to see if there is a more detailed error. Changing >> the frequency shouldn't be an issue. >> >> I remember there was a problem with the path to ossec-logtest in the >> ossec-control script that caused an error like this. It didn't stop >> anything from working, it was just annoying. >> >>> >>> On 12/19/2012 11:34 AM, dan (ddp) wrote: >>>> >>>> On Wed, Dec 19, 2012 at 11:32 AM, Lou Silverman >>>> <[email protected]> wrote: >>>>> >>>>> Here is a snippet of my config: >>>>> >>>>> <!-- Syscheck - Integrity Checking config. --> >>>>> <syscheck> >>>>> >>>>> <!-- Default frequency, every 20 hours. It doesn't need to be >>>>> higher >>>>> - on most systems and one a day should be enough. >>>>> --> >>>>> <frequency>7200</frequency> >>>>> >>>>> <!-- By default it is disabled. In the Install you must choose >>>>> - to enable it. >>>>> --> >>>>> <disabled>no</disabled> >>>>> >>>>> I restart the server and I get Error -- Unable to start OSSEC (check >>>>> config). If I change 7200 to 72000 it works. If I change 7200 to 07200 >>>>> it >>>>> also works! However, I am uneasy if it will actually check every 7200s >>>>> or >>>>> will that leading 0 cause problems? I am on windows agent 2.6, are you >>>>> on >>>>> 2.6 or 2.7? >>>>> >>>>> Thanks >>>>> >>>>> Lou >>>>> >>>> I'm using 2.7. I haven't used 2.6 in ages. Did you get that error >>>> message from the ossec.log? >>>> >>>>> >>>>> >>>>> On 12/19/2012 11:26 AM, dan (ddp) wrote: >>>>>> >>>>>> On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman >>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> Here is a funky error... I changed my syscheck frequency from 72000s >>>>>>> to >>>>>>> 7200s and I could not start my agent - I got an error to check my >>>>>>> config. >>>>>>> Changing it back to 72000 allowed me to start the agent. Any ideas? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Lou >>>>>>> >>>>>> Nope. Can you provide the exact error? >>>>>> >>>>>>> On 12/19/2012 11:17 AM, dan (ddp) wrote: >>>>>>>> >>>>>>>> On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman >>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> It appears you are correct, report_changes is not available on >>>>>>>>> Windows >>>>>>>>> OS >>>>>>>>> as >>>>>>>>> I am no longer getting those errors. >>>>>>>>> >>>>>>>> Thanks for the update, I'll update the docs. >>>>>>>> >>>>>>>>> I am now alerting on new files! Now to write the rules for modified >>>>>>>>> files >>>>>>>>> :) >>>>>>>>> If I change the syscheck frequency on my agent, do I have to change >>>>>>>>> it >>>>>>>>> on >>>>>>>>> the manger as well? What is the difference between changing it on >>>>>>>>> either? >>>>>>>>> >>>>>>>> No, that setting is local. If you change it on the server it will >>>>>>>> only >>>>>>>> affect the server's instance of ossec-syscheckd. >>>>>>>> >>>>>>>>> You're the best Dan! Thank you for everything. You should have a >>>>>>>>> donate >>>>>>>>> button ;) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 12/19/2012 10:46 AM, dan (ddp) wrote: >>>>>>>>>> >>>>>>>>>> On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman >>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> I am adding this now, I will test and let you know my results. >>>>>>>>>>> >>>>>>>>>>> I thought that the ossec.conf on the manager related to the agent >>>>>>>>>>> running >>>>>>>>>>> on >>>>>>>>>>> the manager doing checks of itself? Similar to the ossec.conf >>>>>>>>>>> file >>>>>>>>>>> on >>>>>>>>>>> any >>>>>>>>>>> agent. >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> It does, but it also governs the alerts it sends out. Agents do >>>>>>>>>> not >>>>>>>>>> create alerts, only the server. >>>>>>>>>> >>>>>>>>>>> On Wednesday, December 19, 2012 10:26:10 AM UTC-5, dan (ddpbsd) >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman >>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> I did not set it on the server. Where/how would I do that? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks for your quick response!!!! >>>>>>>>>>>>> >>>>>>>>>>>> In the server's /var/ossec/etc/ossec.conf, in the <syscheck> >>>>>>>>>>>> block. >>>>>>>>>>>> >>>>>>>>>>>> http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> From one of my ossec.confs: >>>>>>>>>>>> >>>>>>>>>>>> <syscheck> >>>>>>>>>>>> <!-- Frequency that syscheck is executed - default to >>>>>>>>>>>> every >>>>>>>>>>>> 22 >>>>>>>>>>>> hours >>>>>>>>>>>> --> >>>>>>>>>>>> <frequency>7200</frequency> >>>>>>>>>>>> <alert_new_files>yes</alert_new_files> >>>>>>>>>>>> <auto_ignore>no</auto_ignore> >>>>>>>>>>>> ... >>>>>>>>>>>> </syscheck> >>>>>>>>>>>> >>>>>>>>>>>>> On Wednesday, December 19, 2012 10:22:00 AM UTC-5, dan (ddpbsd) >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman >>>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Let me start off with I love ossec, It's an amazing product >>>>>>>>>>>>>>> if >>>>>>>>>>>>>>> you >>>>>>>>>>>>>>> take >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> time to learn it and tune it. My manager is a CentOS box and >>>>>>>>>>>>>>> my >>>>>>>>>>>>>>> agent >>>>>>>>>>>>>>> in >>>>>>>>>>>>>>> question is a Win 2003 R2 SP2 box. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Syscheck seems to be very buggy, unless I am doing something >>>>>>>>>>>>>>> wrong. >>>>>>>>>>>>>>> There is >>>>>>>>>>>>>>> a directory on my agent that should never ever change - >>>>>>>>>>>>>>> c:\lou. >>>>>>>>>>>>>>> There >>>>>>>>>>>>>>> is >>>>>>>>>>>>>>> a >>>>>>>>>>>>>>> log dir within that dir which changes and should be ignored. >>>>>>>>>>>>>>> I >>>>>>>>>>>>>>> added >>>>>>>>>>>>>>> this to >>>>>>>>>>>>>>> that agents ossec config: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <ossec_config> >>>>>>>>>>>>>>> <syscheck> >>>>>>>>>>>>>>> <alert_new_files>yes</alert_new_files> >>>>>>>>>>>>>>> <directories realtime="yes" report_changes="yes" >>>>>>>>>>>>>>> check_all="yes">C:\lou</directories> >>>>>>>>>>>>>>> <ignore>C:\lou\logs</ignore> >>>>>>>>>>>>>>> </syscheck> >>>>>>>>>>>>>>> </ossec_config> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I restarted ossec and I see the dir being monitored: >>>>>>>>>>>>>>> 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: >>>>>>>>>>>>>>> 'C:\lou'. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I added a rule to my manager's local_rules.xml as a test to >>>>>>>>>>>>>>> alert >>>>>>>>>>>>>>> on >>>>>>>>>>>>>>> new >>>>>>>>>>>>>>> files: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <group name="local,"> >>>>>>>>>>>>>>> <rule id="554" level="14" overwrite="yes"> >>>>>>>>>>>>>>> <if_group>syscheck</if_group> >>>>>>>>>>>>>>> <decoded_as>syscheck_new_entry</decoded_as> >>>>>>>>>>>>>>> <description>File added to an ossec monitored >>>>>>>>>>>>>>> folder.</description> >>>>>>>>>>>>>>> <group>syscheck,</group> >>>>>>>>>>>>>>> </rule> >>>>>>>>>>>>>>> </group> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I added a few files to the folder and waited. I did not get >>>>>>>>>>>>>>> any >>>>>>>>>>>>>>> alerts >>>>>>>>>>>>>>> but I >>>>>>>>>>>>>>> did get this in my agents log: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to >>>>>>>>>>>>>>> create >>>>>>>>>>>>>>> directory: >>>>>>>>>>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to >>>>>>>>>>>>>>> rename >>>>>>>>>>>>>>> file: >>>>>>>>>>>>>>> 'C:\lou/delmetest.txt'. >>>>>>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to >>>>>>>>>>>>>>> create >>>>>>>>>>>>>>> directory: >>>>>>>>>>>>>>> '/var/ossec/queue/diff/local/:\lou' >>>>>>>>>>>>>>> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to >>>>>>>>>>>>>>> rename >>>>>>>>>>>>>>> file: >>>>>>>>>>>>>>> 'C:\lou/delme2.txt'. >>>>>>>>>>>>>>> 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Does anyone see an issue with my config? Ossec knows that >>>>>>>>>>>>>>> those >>>>>>>>>>>>>>> are >>>>>>>>>>>>>>> new >>>>>>>>>>>>>>> files, why do I not get an alert? Why is my windows ossec >>>>>>>>>>>>>>> install >>>>>>>>>>>>>>> looking >>>>>>>>>>>>>>> for the /var dir? Any help is greatly appreciated. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Did you set alert_new_files on the server? It doesn't mean >>>>>>>>>>>>>> anything >>>>>>>>>>>>>> on >>>>>>>>>>>>>> the agent. >>>>>>>>>>>>>> I don't know if report_changes works on Windows. I didn't >>>>>>>>>>>>>> think >>>>>>>>>>>>>> so, >>>>>>>>>>>>>> but I could be wrong. >>>>>>>>> >>>>>>>>> >
