On Thu, Mar 28, 2013 at 12:36 AM, TWAD <[email protected]> wrote: > All, I just do not understand how integrity checking identifies and reports, > because it does not report for me. I spent the better part of three days > configuring and reconfiguring to no avail. If I change, add, or delete a > file on my Win2012 host, nothing reports to the Ossec server... or should I > say I do not get an alert. >
Is there no alert, or do you just not receive an alert? Do the alerts show up in /var/ossec/logs/alerts/alerts.log? > Configuration: OSSEC 2.7 > Server RH 6.4 > Agent Windows Server 2012 I couldn't find this for sale on Newegg, is there another name it goes by? > ossec-agent directory permissions: ossec-agent full control to subfolders > and files (to eliminate any permission issues) > syscheck (syscheckregistry.db) directory shows no updates for the past 10 > days > Agent shows active on the server through agent_control -lc > active response works from the agent to the server > Rule 554 (see below) does not show up in alerts.log after two days of > waiting and restarting etc > I added, changed and deleted files in directories monitored under syscheck. > Many changes in this directory: <directories > check_all="yes">%WINDIR%/System32/drivers/etc</directories> > /var/ossec/queue/diff only contains my RH and Solaris agents > /var/ossec/queue/syscheck contains the following: > > -rwxr-----. 1 ossec ossec 3976 Mar 12 13:03 (Window8) > 192.168.1.1->syscheck > -rw-r-----. 1 ossec ossec 723441 Mar 15 04:27 (Window8) > 192.168.1.1->syscheck-registry ***BTW, off topic why does syscheck-registry > not show up as a file?*** What do you want it to show up as? > -rwxr-----. 1 ossec ossec 644163 Mar 12 23:36 (Solaris10) > 192.168.1.10->syscheck > -rwxr-----. 1 ossec ossec 1173984 Mar 27 22:39 syscheck > -rwxr-----. 1 ossec ossec 3870 Mar 27 22:06 (Win2012) > 192.168.1.7->syscheck Are the files you have been modifying in this file? Can you please show us the line? > -rw-r-----. 1 ossec ossec 612144 Mar 15 04:26 (Win2012) > 192.168.1.7->syscheck-registry > So something is going into the Win2012 file but when I look in syscheck, > only Unix-style directories are in there, and none of the files or > directories I created in the Win2012 server. > Please give us an example of a unix style directory in the Windows syscheck file. > > > Ossec Server configuration > > ossec.conf > > <syscheck> > > <frequency>7200</frequency> > > <alert_new_files>yes</alert_new_files> > > <auto_ignore>no</auto_ignore> > > <disabled>no</disabled> > > ... > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories report_changes="yes" > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories report_changes="yes" > check_all="yes">/bin,/sbin</directories> > > > > ossec_rules.xml **<-yes I know this will get overwritten but I want to > eliminate any mistakes for this test. I will move to local_rules when > successful** > > <rule id="554" level="10"> > > <category>ossec</category> > > <decoded_as>syscheck_new_entry</decoded_as> > > <description>File added to the system.</description> > > <group>syscheck,</group> > > </rule> > > > > Agent configuration > > ossec.conf > > > > <syscheck> > > <frequency>72000</frequency> > <disabled>no</disabled> > > <!-- Default files to be monitored - system32 only. --> > > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > <directories > check_all="yes">%WINDIR%/System32/drivers/etc</directories> > > etcetera... > > > > Agent ossec.log > > 2013/03/27 22:56:42 ossec-execd: INFO: Started (pid: 3612). > > 2013/03/27 22:56:42 ossec-agent(1410): INFO: Reading authentication keys > file. > > 2013/03/27 22:56:42 ossec-agent: INFO: Assigning counter for agent Win2012: > '0:2291'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Assigning sender counter: 21:5388 > > 2013/03/27 22:56:42 ossec-agent: INFO: Trying to connect to server > (192.168.1.8:1024). > > 2013/03/27 22:56:42 ossec-agent: INFO: Using IPv4 for: 192.168.1.8 . > > 2013/03/27 22:56:42 ossec-agent: Starting syscheckd thread. > > 2013/03/27 22:56:42 ossec-rootcheck: INFO: Started (pid: 3612). > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Policies'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Security'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > Manager\KnownDLLs'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/win.ini'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/system.ini'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\autoexec.bat'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\config.sys'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 'C:\boot.ini'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/CONFIG.NT'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/AUTOEXEC.NT'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/at.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/attrib.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/cacls.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/debug.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drwatson.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drwtsn32.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/edlin.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/eventcreate.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/eventtriggers.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/ftp.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/net.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/net1.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/netsh.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rcp.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/reg.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/regedit.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/regedt32.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/regsvr32.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rexec.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/rsh.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/runas.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/sc.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/subst.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/telnet.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/tftp.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/tlntsvr.exe'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Windows/System32/drivers/etc'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: 'C:\Documents > and Settings/All Users/Start Menu/Programs/Startup'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Monitoring directory: > 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup'. > > 2013/03/27 22:56:42 ossec-agent: INFO: Started (pid: 3612). > > 2013/03/27 22:56:43 ossec-agent(4102): INFO: Connected to the server > (192.168.1.8:1024). > > 2013/03/27 22:56:43 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > > 2013/03/27 22:56:43 ossec-agent(1951): INFO: Analyzing event log: > 'Security'. > > 2013/03/27 22:56:45 ossec-agent(1951): INFO: Analyzing event log: 'System'. > > 2013/03/27 22:56:45 ossec-agent: INFO: Started (pid: 3612). > > 2013/03/27 22:57:42 ossec-agent: INFO: Starting syscheck scan (forwarding > database). > > 2013/03/27 22:57:42 ossec-agent: INFO: Starting syscheck database > (pre-scan). > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\boot.ini': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/CONFIG.NT': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/debug.exe': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwatson.exe': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwtsn32.exe': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/edlin.exe': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/eventtriggers.exe': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rcp.exe': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rexec.exe': No such file or directory > > 2013/03/27 22:57:42 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rsh.exe': No such file or directory > > 2013/03/27 22:57:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/telnet.exe': No such file or directory > > 2013/03/27 22:57:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tftp.exe': No such file or directory > > 2013/03/27 22:57:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tlntsvr.exe': No such file or directory > > 2013/03/27 22:57:44 ossec-agent: INFO: Initializing real time file > monitoring (not started). > > 2013/03/27 22:57:44 ossec-agent: WARN: Error opening directory: > 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such > file or directory > > 2013/03/27 22:57:44 ossec-agent: INFO: Real time file monitoring started. > > 2013/03/27 22:57:44 ossec-agent: INFO: Finished creating syscheck database > (pre-scan completed). > > 2013/03/27 22:57:54 ossec-agent: INFO: Ending syscheck scan (forwarding > database). > > 2013/03/27 22:58:14 ossec-agent: INFO: Starting rootcheck scan. > > 2013/03/27 22:58:19 ossec-agent: INFO: Ending rootcheck scan. > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
