On Friday, March 15, 2013 3:23:03 PM UTC-4, dan (ddpbsd) wrote: > > On Fri, Mar 15, 2013 at 3:16 PM, cmgglist <[email protected] <javascript:>> > wrote: > > > > I'm actually having the exact same problem as carlopmart. > > > > If I dont use agent.conf the problem goes away assuming the agent's > > ossec.conf still has the default config. > > > > If I have a bare bones agent ossec.conf like carlopmart does, the error > > persists even though the ../etc/shared files are pushed. I can even > delete > > these and they re-appear after the agent is restarted. > > > > So I turned on debug agent side and it seems like for some reason the > agent > > never reads the pushed agent.conf file. > > > > 2013/03/15 14:43:31 ossec-agent: calling os_read_agent_profile(). > > 2013/03/15 14:43:31 ossec-agent: os_read_agent_profile() = [(null)] > > 2013/03/15 14:43:31 Read agent config profile name [(null)] > > 2013/03/15 14:43:31 [winhostprofile] did not match agent config profile > name > > [(null)] > > > > There was a thread recently about how profiles don't work with > Windows. I missed that this was a profile issue, assuming it was a > problem with a version of Windows that isn't out yet. >
I see that. Thanks for the reply! > > > Tried dumping the profile option and just going with name= but not all I > see > > in the log is > > > > 2013/03/15 14:45:45 ossec-agent: calling os_read_agent_name() > > 2013/03/15 14:45:45 ossec-agent: os_read_agent_name returned > (mylaptopname > > ). > > > > For now I suppose I'll stick with the default config on the agent and an > > agent.conf with no additional configuration as my primary goal is to use > the > > audit files. What happens then is the files on the server's > ../etc/shared > > still get pushed and audit checks work as configured on the server > because > > the default ossec.conf still reads the audit files from its \shared > > directory. > > > > > > > > On Friday, March 15, 2013 9:02:18 AM UTC-4, dan (ddpbsd) wrote: > >> > >> On Thu, Mar 14, 2013 at 4:35 AM, C. L. Martinez <[email protected]> > >> wrote: > >> > Hi all, > >> > > >> > I am testing Ossec agents under Windows 2012 servers using agent > >> > centralized configuration. And a problem appears: > >> > > >> > 2013/03/14 08:07:16 ossec-agent: INFO: Started (pid: 2832). > >> > > >> > 2013/03/14 08:08:46 ossec-agent: INFO: Starting rootcheck scan. > >> > > >> > 2013/03/14 08:08:46 ossec-agent: No winaudit file configured. > >> > > >> > 2013/03/14 08:08:46 ossec-agent: No winmalware file configured. > >> > > >> > 2013/03/14 08:08:46 ossec-agent: No winapps file configured. > >> > > >> > 2013/03/14 08:08:51 ossec-agent: INFO: Ending rootcheck scan. > >> > > >> > My agent.conf for these Windows 2012 servers is: > >> > > >> > <agent_config profile="WinServers"> > >> > <syscheck> > >> > <!--<scan_on_start>no</scan_on_start>--> > >> > <frequency>43200</frequency> > >> > <!--<scan_time>04:00</scan_time>--> > >> > <directories check_all="yes">%WINDIR%/win.ini</directories> > >> > <directories check_all="yes">%WINDIR%/system.ini</directories> > >> > <directories check_all="yes">C:\autoexec.bat</directories> > >> > <directories check_all="yes">C:\config.sys</directories> > >> > <directories check_all="yes">C:\boot.ini</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > >> > <directories > check_all="yes">%WINDIR%/System32/at.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/attrib.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/cacls.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/debug.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/drwatson.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/edlin.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> > >> > <directories > check_all="yes">%WINDIR%/System32/ftp.exe</directories> > >> > <directories > check_all="yes">%WINDIR%/System32/net.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/net1.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/netsh.exe</directories> > >> > <directories > check_all="yes">%WINDIR%/System32/rcp.exe</directories> > >> > <directories > check_all="yes">%WINDIR%/System32/reg.exe</directories> > >> > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/regedt32.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/rexec.exe</directories> > >> > <directories > check_all="yes">%WINDIR%/System32/rsh.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/runas.exe</directories> > >> > <directories > check_all="yes">%WINDIR%/System32/sc.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/subst.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/telnet.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/tftp.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> > >> > <directories > >> > check_all="yes">%WINDIR%/System32/drivers/etc</directories> > >> > <directories check_all="yes" realtime="yes">C:\Documents and > >> > Settings/All Users/Start Menu/Programs/Startup</directories> > >> > <directories check_all="yes" realtime="yes">C:\Users/Public/All > >> > Users/Microsoft/Windows/Start Menu/Startup</directories> > >> > <ignore > >> > type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > >> > > >> > <!-- Windows registry entries to monitor. --> > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > >> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > >> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > >> > Explorer</windows_registry> > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > > >> > Manager\KnownDLLs</windows_registry> > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > > > >> > > >> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > > > >> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > >> > NT\CurrentVersion\Windows</windows_registry> > >> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > >> > NT\CurrentVersion\Winlogon</windows_registry> > >> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > >> > Setup\Installed Components</windows_registry> > >> > > >> > <!-- Windows registry entries to ignore. --> > >> > > >> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > > >> > > >> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > > > >> > <registry_ignore type="sregex">\Enum$</registry_ignore> > >> > </syscheck> > >> > > >> > <rootcheck> > >> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > >> > >> Another thought, perhaps the path gets screwy with agent.conf? Try > >> either setting the absolute path (based on the chroot, so > >> /etc/shared/...), or removing "/shared" from the above. Also, make > >> sure this file exists. > >> > >> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > >> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > >> > </rootcheck> > >> > > >> > .... > >> > > >> > And ossec.conf in Windows 2012 client is: > >> > > >> > <ossec_config> > >> > <client> > >> > <server-hostname>ossec.domain.com</server-hostname> > >> > <port>11555</port> > >> > <config-profile>WinServers</config-profile> > >> > </client> > >> > </ossec_config> > >> > > >> > Any idea?? > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
