[ossec-list] Windows agent error with centralized configuration

Thu, 14 Mar 2013 03:36:48 -0700 

Hi all,

 I am testing Ossec agents under Windows 2012 servers using agent
centralized configuration. And a problem appears:

2013/03/14 08:07:16 ossec-agent: INFO: Started (pid: 2832).

2013/03/14 08:08:46 ossec-agent: INFO: Starting rootcheck scan.

2013/03/14 08:08:46 ossec-agent: No winaudit file configured.

2013/03/14 08:08:46 ossec-agent: No winmalware file configured.

2013/03/14 08:08:46 ossec-agent: No winapps file configured.

2013/03/14 08:08:51 ossec-agent: INFO: Ending rootcheck scan.

My agent.conf for these Windows 2012 servers is:

<agent_config profile="WinServers">
  <syscheck>
    <!--<scan_on_start>no</scan_on_start>-->
    <frequency>43200</frequency>
    <!--<scan_time>04:00</scan_time>-->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes">C:\boot.ini</directories>
    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
    <directories
check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
    <directories check_all="yes" realtime="yes">C:\Documents and
Settings/All Users/Start Menu/Programs/Startup</directories>
    <directories check_all="yes" realtime="yes">C:\Users/Public/All
Users/Microsoft/Windows/Start Menu/Startup</directories>
    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

    <!-- Windows registry entries to monitor. -->
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\KnownDLLs</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>

    <!-- Windows registry entries to ignore. -->
    
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
    
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>
  </syscheck>

  <rootcheck>
    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
  </rootcheck>

....

 And ossec.conf in Windows 2012 client is:

<ossec_config>
  <client>
    <server-hostname>ossec.domain.com</server-hostname>
    <port>11555</port>
        <config-profile>WinServers</config-profile>
  </client>
</ossec_config>

Any idea??

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to