On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: > > On Wed, Sep 25, 2013 at 8:18 AM, Chris H <[email protected]<javascript:>> > wrote: > > An update to this. It appears that on Windows Server 2012 it agent.conf > > doesn't work with OS either. I get this in the log files, and it's not > > monitoring anything: > > > > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for > > syscheck to monitor. > > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. > > > > Thanks > > > > > Look to see how OSSEC gets the OS information, and find out what 2012 > gives. With that info we might be able to get it working. >
Thanks Dan. I presume I'm looking for something in the logs? I've enabled debug, but not seeing anything: 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to reconnect: 1800 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration. 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). Thanks. > > > > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: > >> > >> Sorry to resurrect an old thread, but is there any update to this? I'm > >> just moving towards a centralised config, and experiencing this issue. > >> referencing by OS or name, works, but by config-profile doesn't on > Windows. > >> I've also tried the 2.7.1 beta agent, and seeing the same issue. > >> > >> I don't know if it's relevant, but I'm seeing entries like this in the > >> agent logs if I enable debug logging: > >> > >> 2013/09/25 12:40:07 Read agent config profile name [(null)] > >> 2013/09/25 12:40:07 [dhcp] did not match agent config profile name > >> [(null)] > >> > >> 2013/09/25 12:40:07 Read agent config profile name [(null)] > >> 2013/09/25 12:40:07 [dns] did not match agent config profile name > [(null)] > >> > >> Thanks > >> > >> > >> On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: > >>> > >>> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко <[email protected]> > >>> wrote: > >>> > Is it possible to add this functionality in a future version of > >>> > ossec-agent > >>> > for win? > >>> > > >>> > >>> Definitely. > >>> > >>> > > >>> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей > Шевченко > >>> > написал: > >>> >> > >>> >> It looks like this feature was not included in the > >>> >> ossec-hids/src/win32/ > >>> >> I have not found any changes in the win32 sources. > >>> >> > >>> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) > >>> >> написал: > >>> >>> > >>> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко < > [email protected]> > >>> >>> wrote: > >>> >>> > I tried to add a bad option and i see that it is not being > picked > >>> >>> > up... > >>> >>> > Like in my example, i don't see anything related to options in > >>> >>> > specific > >>> >>> > agent profile. > >>> >>> > > >>> >>> > >>> >>> You could check the code repository to see if the commits enabling > >>> >>> this functionality for unixy systems also enabled it for Windows. > >>> >>> > >>> >>> > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan > >>> >>> > (ddpbsd) > >>> >>> > написал: > >>> >>> >> > >>> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко > >>> >>> >> <[email protected]> > >>> >>> >> wrote: > >>> >>> >> > osssec.conf(agent test_PC): > >>> >>> >> > > >>> >>> >> >> <ossec_config> > >>> >>> >> >> > >>> >>> >> >> > >>> >>> >> >> <client> > >>> >>> >> >> > >>> >>> >> >> <config-profile>test1</config-profile> > >>> >>> >> >> > >>> >>> >> >> <server-ip>1.1.1.1</server-ip> > >>> >>> >> >> > >>> >>> >> >> </client> > >>> >>> >> >> > >>> >>> >> >> > >>> >>> >> >> <active-response> > >>> >>> >> >> > >>> >>> >> >> <disabled>no</disabled> > >>> >>> >> >> > >>> >>> >> >> </active-response> > >>> >>> >> >> > >>> >>> >> >> > >>> >>> >> >> </ossec_config> > >>> >>> >> > > >>> >>> >> > > >>> >>> >> > > >>> >>> >> > agent.conf(server): > >>> >>> >> > > >>> >>> >> >> <agent_config name="test_PC"> > >>> >>> >> >> > >>> >>> >> >> <syscheck> > >>> >>> >> >> > >>> >>> >> >> <directories check_all="yes">D:/</directories> > >>> >>> >> >> > >>> >>> >> >> </syscheck> > >>> >>> >> >> > >>> >>> >> >> </agent_config> > >>> >>> >> >> > >>> >>> >> >> > >>> >>> >> >> <agent_config profile="test1"> > >>> >>> >> >> > >>> >>> >> >> <syscheck> > >>> >>> >> >> > >>> >>> >> >> <directories check_all="yes">F:/</directories> > >>> >>> >> >> > >>> >>> >> >> </syscheck> > >>> >>> >> >> > >>> >>> >> >> </agent_config> > >>> >>> >> >> > >>> >>> >> >> > >>> >>> >> >> <agent_config os="Windows"> > >>> >>> >> >> > >>> >>> >> >> <syscheck> > >>> >>> >> >> > >>> >>> >> >> <directories check_all="yes">C:/</directories> > >>> >>> >> >> > >>> >>> >> >> </syscheck> > >>> >>> >> >> > >>> >>> >> >> </agent_config> > >>> >>> >> > > >>> >>> >> > > >>> >>> >> > ossec.log(agent): > >>> >>> >> > > >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: > >>> >>> >> >> 'D:/'. > >>> >>> >> >> > >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: > >>> >>> >> >> 'C:/'. > >>> >>> >> > > >>> >>> >> > > >>> >>> >> > Disk F is not monitored. > >>> >>> >> > > >>> >>> >> > Equal configuration for agent under FreeBSD works fine. > >>> >>> >> > > >>> >>> >> > -- > >>> >>> >> > > >>> >>> >> > >>> >>> >> You could add a bad option under that profile to see if it's > being > >>> >>> >> picked up, like monitoring a syslog file that doesn't actually > >>> >>> >> exist. > >>> >>> >> > >>> >>> >> Other than that, I'd try something like: > >>> >>> >> > >>> >>> >> <agent_config profile="test1"> > >>> >>> >> <syscheck> > >>> >>> >> <directories check_all="yes">F:\.</directories> <!-- Notice > the > >>> >>> >> "." > >>> >>> >> --> > >>> >>> >> </syscheck> > >>> >>> >> </agent_config> > >>> >>> >> > >>> >>> >> I can't test this at the moment, so I don't know for sure that > it > >>> >>> >> will > >>> >>> >> work. > >>> >>> >> > >>> >>> >> > --- > >>> >>> >> > You received this message because you are subscribed to the > >>> >>> >> > Google > >>> >>> >> > Groups > >>> >>> >> > "ossec-list" group. > >>> >>> >> > To unsubscribe from this group and stop receiving emails from > >>> >>> >> > it, > >>> >>> >> > send > >>> >>> >> > an > >>> >>> >> > email to [email protected]. > >>> >>> >> > For more options, visit > >>> >>> >> > https://groups.google.com/groups/opt_out. > >>> >>> >> > > >>> >>> >> > > >>> >>> > > >>> >>> > -- > >>> >>> > > >>> >>> > --- > >>> >>> > You received this message because you are subscribed to the > Google > >>> >>> > Groups > >>> >>> > "ossec-list" group. > >>> >>> > To unsubscribe from this group and stop receiving emails from > it, > >>> >>> > send > >>> >>> > an > >>> >>> > email to [email protected]. > >>> >>> > For more options, visit https://groups.google.com/groups/opt_out. > > >>> >>> > > >>> >>> > > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/groups/opt_out. > >>> > > >>> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
