[ossec-list] Syscheck from Win2012 not reporting

TWAD Thu, 28 Mar 2013 03:20:50 -0700

All, I just do not understand how integrity checking identifies and 
reports, because it does not report for me. I spent the better part of 
three days configuring and reconfiguring to no avail. If I change, add, or 
delete a file on my Win2012 host, nothing reports to the Ossec server... or 
should I say I do not get an alert.


   - Configuration: OSSEC 2.7
   - Server RH 6.4
   - Agent Windows Server 2012
   - ossec-agent directory permissions: ossec-agent full control to 
   subfolders and files (to eliminate any permission issues)
   - syscheck (syscheckregistry.db) directory shows no updates for the past 
   10 days
   - Agent shows active on the server through agent_control -lc
   - active response works from the agent to the server
   - Rule 554 (see below) does not show up in alerts.log after two days of 
   waiting and restarting etc
   - I added, changed and deleted files in directories monitored under 
   syscheck. Many changes in this directory: <directories 
   check_all="yes">%WINDIR%/System32/drivers/etc</directories>
   - /var/ossec/queue/diff only contains my RH and Solaris agents
   - /var/ossec/queue/syscheck contains the following: 

-rwxr-----.  1 ossec ossec    3976 Mar 12 13:03 (Window8) 
192.168.1.1->syscheck
-rw-r-----.  1 ossec ossec  723441 Mar 15 04:27 (Window8) 
192.168.1.1->syscheck-registry ***BTW, off topic why does syscheck-registry 
not show up as a file?***
-rwxr-----.  1 ossec ossec  644163 Mar 12 23:36 (Solaris10) 
192.168.1.10->syscheck 
-rwxr-----.  1 ossec ossec 1173984 Mar 27 22:39 syscheck
-rwxr-----.  1 ossec ossec    3870 Mar 27 22:06 (Win2012) 
192.168.1.7->syscheck
-rw-r-----.  1 ossec ossec  612144 Mar 15 04:26 (Win2012) 
192.168.1.7->syscheck-registry
So something is going into the Win2012 file but when I look in syscheck, 
only Unix-style directories are in there, and none of the files or 
directories I created in the Win2012 server. 
 
  

*Ossec Server configuration* 

ossec.conf  

 <syscheck>

     <frequency>7200</frequency>

     <alert_new_files>yes</alert_new_files>

     <auto_ignore>no</auto_ignore>

     <disabled>no</disabled>

...

 

     <!-- Directories to check  (perform all possible verifications) -->

     <directories report_changes="yes" 
check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

     <directories report_changes="yes" 
check_all="yes">/bin,/sbin</directories>

 

ossec_rules.xml  **<-yes I know this will get overwritten but I want to 
eliminate any mistakes for this test. I will move to local_rules when 
successful**

   <rule id="554" level="10">

     <category>ossec</category>

     <decoded_as>syscheck_new_entry</decoded_as>

     <description>File added to the system.</description>

     <group>syscheck,</group>

   </rule>

 

*Agent configuration*

ossec.conf

 

    <syscheck>
         <frequency>72000</frequency>
         <disabled>no</disabled>

<!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes">C:\boot.ini</directories>
    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
     <directories 
check_all="yes">%WINDIR%/System32/drivers/etc</directories>

etcetera...

 

Agent ossec.log

2013/03/27 22:56:42 ossec-execd: INFO: Started (pid: 3612).

2013/03/27 22:56:42 ossec-agent(1410): INFO: Reading authentication keys 
file.

2013/03/27 22:56:42 ossec-agent: INFO: Assigning counter for agent Win2012: 
'0:2291'.

2013/03/27 22:56:42 ossec-agent: INFO: Assigning sender counter: 21:5388

2013/03/27 22:56:42 ossec-agent: INFO: Trying to connect to server 
(192.168.1.8:1024).

2013/03/27 22:56:42 ossec-agent: INFO: Using IPv4 for: 192.168.1.8 .

2013/03/27 22:56:42 ossec-agent: Starting syscheckd thread.

2013/03/27 22:56:42 ossec-rootcheck: INFO: Started (pid: 3612).

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Policies'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Security'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session 
Manager\KnownDLLs'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: 
'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/win.ini'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/system.ini'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\autoexec.bat'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\config.sys'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 'C:\boot.ini'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/CONFIG.NT'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/AUTOEXEC.NT'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/at.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/attrib.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/cacls.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/debug.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/drwatson.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/drwtsn32.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/edlin.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/eventcreate.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/eventtriggers.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/ftp.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/net.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/net1.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/netsh.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/rcp.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/reg.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/regedit.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/regedt32.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/regsvr32.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/rexec.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/rsh.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/runas.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/sc.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/subst.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/telnet.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/tftp.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/tlntsvr.exe'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Windows/System32/drivers/etc'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 'C:\Documents 
and Settings/All Users/Start Menu/Programs/Startup'.

2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 
'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup'.

2013/03/27 22:56:42 ossec-agent: INFO: Started (pid: 3612).

2013/03/27 22:56:43 ossec-agent(4102): INFO: Connected to the server 
(192.168.1.8:1024).

2013/03/27 22:56:43 ossec-agent(1951): INFO: Analyzing event log: 
'Application'.

2013/03/27 22:56:43 ossec-agent(1951): INFO: Analyzing event log: 
'Security'.

2013/03/27 22:56:45 ossec-agent(1951): INFO: Analyzing event log: 'System'.

2013/03/27 22:56:45 ossec-agent: INFO: Started (pid: 3612).

2013/03/27 22:57:42 ossec-agent: INFO: Starting syscheck scan (forwarding 
database).

2013/03/27 22:57:42 ossec-agent: INFO: Starting syscheck database 
(pre-scan).

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\boot.ini': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/CONFIG.NT': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/AUTOEXEC.NT': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/debug.exe': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/drwatson.exe': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/drwtsn32.exe': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/edlin.exe': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/eventtriggers.exe': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rcp.exe': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rexec.exe': No such file or directory 

2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rsh.exe': No such file or directory 

2013/03/27 22:57:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/telnet.exe': No such file or directory 

2013/03/27 22:57:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/tftp.exe': No such file or directory 

2013/03/27 22:57:44 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/tlntsvr.exe': No such file or directory 

2013/03/27 22:57:44 ossec-agent: INFO: Initializing real time file 
monitoring (not started).

2013/03/27 22:57:44 ossec-agent: WARN: Error opening directory: 
'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such 
file or directory 

2013/03/27 22:57:44 ossec-agent: INFO: Real time file monitoring started.

2013/03/27 22:57:44 ossec-agent: INFO: Finished creating syscheck database 
(pre-scan completed).

2013/03/27 22:57:54 ossec-agent: INFO: Ending syscheck scan (forwarding 
database).

2013/03/27 22:58:14 ossec-agent: INFO: Starting rootcheck scan.

2013/03/27 22:58:19 ossec-agent: INFO: Ending rootcheck scan.

 

 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

[ossec-list] Syscheck from Win2012 not reporting

Reply via email to