I'm actually having the exact same problem as carlopmart. If I dont use agent.conf the problem goes away assuming the agent's ossec.conf still has the default config.
If I have a bare bones agent ossec.conf like carlopmart does, the error persists even though the ../etc/shared files are pushed. I can even delete these and they re-appear after the agent is restarted. So I turned on debug agent side and it seems like for some reason the agent never reads the pushed agent.conf file. 2013/03/15 14:43:31 ossec-agent: calling os_read_agent_profile(). 2013/03/15 14:43:31 ossec-agent: os_read_agent_profile() = [(null)] 2013/03/15 14:43:31 Read agent config profile name [(null)] 2013/03/15 14:43:31 [winhostprofile] did not match agent config profile name [(null)] Tried dumping the profile option and just going with name= but not all I see in the log is 2013/03/15 14:45:45 ossec-agent: calling os_read_agent_name() 2013/03/15 14:45:45 ossec-agent: os_read_agent_name returned (mylaptopname ). For now I suppose I'll stick with the default config on the agent and an agent.conf with no additional configuration as my primary goal is to use the audit files. What happens then is the files on the server's ../etc/shared still get pushed and audit checks work as configured on the server because the default ossec.conf still reads the audit files from its \shared directory. On Friday, March 15, 2013 9:02:18 AM UTC-4, dan (ddpbsd) wrote: > > On Thu, Mar 14, 2013 at 4:35 AM, C. L. Martinez > <[email protected]<javascript:>> > wrote: > > Hi all, > > > > I am testing Ossec agents under Windows 2012 servers using agent > > centralized configuration. And a problem appears: > > > > 2013/03/14 08:07:16 ossec-agent: INFO: Started (pid: 2832). > > > > 2013/03/14 08:08:46 ossec-agent: INFO: Starting rootcheck scan. > > > > 2013/03/14 08:08:46 ossec-agent: No winaudit file configured. > > > > 2013/03/14 08:08:46 ossec-agent: No winmalware file configured. > > > > 2013/03/14 08:08:46 ossec-agent: No winapps file configured. > > > > 2013/03/14 08:08:51 ossec-agent: INFO: Ending rootcheck scan. > > > > My agent.conf for these Windows 2012 servers is: > > > > <agent_config profile="WinServers"> > > <syscheck> > > <!--<scan_on_start>no</scan_on_start>--> > > <frequency>43200</frequency> > > <!--<scan_time>04:00</scan_time>--> > > <directories check_all="yes">%WINDIR%/win.ini</directories> > > <directories check_all="yes">%WINDIR%/system.ini</directories> > > <directories check_all="yes">C:\autoexec.bat</directories> > > <directories check_all="yes">C:\config.sys</directories> > > <directories check_all="yes">C:\boot.ini</directories> > > <directories > check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > > <directories > check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > > <directories check_all="yes">%WINDIR%/System32/at.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/attrib.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/cacls.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/debug.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/drwatson.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/edlin.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> > > <directories > > check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> > > <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories> > > <directories check_all="yes">%WINDIR%/System32/net.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/net1.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/netsh.exe</directories> > > <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories> > > <directories check_all="yes">%WINDIR%/System32/reg.exe</directories> > > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/regedt32.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/rexec.exe</directories> > > <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/runas.exe</directories> > > <directories check_all="yes">%WINDIR%/System32/sc.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/subst.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/telnet.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/tftp.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> > > <directories > check_all="yes">%WINDIR%/System32/drivers/etc</directories> > > <directories check_all="yes" realtime="yes">C:\Documents and > > Settings/All Users/Start Menu/Programs/Startup</directories> > > <directories check_all="yes" realtime="yes">C:\Users/Public/All > > Users/Microsoft/Windows/Start Menu/Startup</directories> > > <ignore > type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > > > <!-- Windows registry entries to monitor. --> > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > > Explorer</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > > > Manager\KnownDLLs</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > > NT\CurrentVersion\Windows</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > > NT\CurrentVersion\Winlogon</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > > Setup\Installed Components</windows_registry> > > > > <!-- Windows registry entries to ignore. --> > > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > > > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > > > > <registry_ignore type="sregex">\Enum$</registry_ignore> > > </syscheck> > > > > <rootcheck> > > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > > Another thought, perhaps the path gets screwy with agent.conf? Try > either setting the absolute path (based on the chroot, so > /etc/shared/...), or removing "/shared" from the above. Also, make > sure this file exists. > > > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > > </rootcheck> > > > > .... > > > > And ossec.conf in Windows 2012 client is: > > > > <ossec_config> > > <client> > > <server-hostname>ossec.domain.com</server-hostname> > > <port>11555</port> > > <config-profile>WinServers</config-profile> > > </client> > > </ossec_config> > > > > Any idea?? > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
