On Thursday, September 26, 2013 5:25:10 PM UTC+1, Chris H wrote: > > > > On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote: >> >> On Thu, Sep 26, 2013 at 10:29 AM, Chris H <[email protected]> wrote: >> > >> > >> > On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Wed, Sep 25, 2013 at 8:18 AM, Chris H <[email protected]> wrote: >> >> > An update to this. It appears that on Windows Server 2012 it >> agent.conf >> >> > doesn't work with OS either. I get this in the log files, and it's >> not >> >> > monitoring anything: >> >> > >> >> > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided >> for >> >> > syscheck to monitor. >> >> > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. >> >> > >> >> > Thanks >> >> > >> >> >> >> >> >> Look to see how OSSEC gets the OS information, and find out what 2012 >> >> gives. With that info we might be able to get it working. >> > >> > >> > Thanks Dan. I presume I'm looking for something in the logs? I've >> enabled >> > debug, but not seeing anything: >> > >> >> You'd have to look in the code. >> > > Took a while to find the code :) > OK, I've not done much C dev, and not for a long time, but I think it uses > GetVersionEx. It identifies first based on major version; Vista an onwards > are v6. Then it checks for minor version but only 0 or 1. 2012, and > presumably Win8, return minor version 2; mine shows a Version of 6.2.9200, > and a Name of "Microsoft Windows Server 2012 Standard". > > Also, the code to read the agent profile seems to be in there, but I'm not > sure why it's failing and showing the profile as NULL. I'll try and add > some more debug code. >
OK, not sure whether it's me, or I've got a funny version of the code, but I can't get it to compile either under Fedora or on Windows with mingw :( > > Thanks > > >> >> > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. >> > 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to >> > reconnect: 1800 >> > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector >> configuration. >> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). >> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] >> > 2013/09/26 15:24:07 Read agent config profile name [(null)] >> > 2013/09/26 15:24:07 [sftp] did not match agent config profile name >> [(null)] >> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). >> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] >> > 2013/09/26 15:24:07 Read agent config profile name [(null)] >> > 2013/09/26 15:24:07 [dc] did not match agent config profile name >> [(null)] >> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). >> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] >> > 2013/09/26 15:24:07 Read agent config profile name [(null)] >> > 2013/09/26 15:24:07 [dhcp] did not match agent config profile name >> [(null)] >> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). >> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] >> > 2013/09/26 15:24:07 Read agent config profile name [(null)] >> > 2013/09/26 15:24:07 [dns] did not match agent config profile name >> [(null)] >> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). >> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 >> > ). >> > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). >> > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 >> > ). >> > 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). >> > >> > Thanks. >> > >> >> >> >> > >> >> > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: >> >> >> >> >> >> Sorry to resurrect an old thread, but is there any update to this? >> I'm >> >> >> just moving towards a centralised config, and experiencing this >> issue. >> >> >> referencing by OS or name, works, but by config-profile doesn't on >> >> >> Windows. >> >> >> I've also tried the 2.7.1 beta agent, and seeing the same issue. >> >> >> >> >> >> I don't know if it's relevant, but I'm seeing entries like this in >> the >> >> >> agent logs if I enable debug logging: >> >> >> >> >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] >> >> >> 2013/09/25 12:40:07 [dhcp] did not match agent config profile name >> >> >> [(null)] >> >> >> >> >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] >> >> >> 2013/09/25 12:40:07 [dns] did not match agent config profile name >> >> >> [(null)] >> >> >> >> >> >> Thanks >> >> >> >> >> >> >> >> >> On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: >> >> >>> >> >> >>> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко < >> [email protected]> >> >> >>> wrote: >> >> >>> > Is it possible to add this functionality in a future version of >> >> >>> > ossec-agent >> >> >>> > for win? >> >> >>> > >> >> >>> >> >> >>> Definitely. >> >> >>> >> >> >>> > >> >> >>> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей >> >> >>> > Шевченко >> >> >>> > написал: >> >> >>> >> >> >> >>> >> It looks like this feature was not included in the >> >> >>> >> ossec-hids/src/win32/ >> >> >>> >> I have not found any changes in the win32 sources. >> >> >>> >> >> >> >>> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan >> (ddpbsd) >> >> >>> >> написал: >> >> >>> >>> >> >> >>> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко >> >> >>> >>> <[email protected]> >> >> >>> >>> wrote: >> >> >>> >>> > I tried to add a bad option and i see that it is not being >> >> >>> >>> > picked >> >> >>> >>> > up... >> >> >>> >>> > Like in my example, i don't see anything related to options >> in >> >> >>> >>> > specific >> >> >>> >>> > agent profile. >> >> >>> >>> > >> >> >>> >>> >> >> >>> >>> You could check the code repository to see if the commits >> enabling >> >> >>> >>> this functionality for unixy systems also enabled it for >> Windows. >> >> >>> >>> >> >> >>> >>> > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan >> >> >>> >>> > (ddpbsd) >> >> >>> >>> > написал: >> >> >>> >>> >> >> >> >>> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко >> >> >>> >>> >> <[email protected]> >> >> >>> >>> >> wrote: >> >> >>> >>> >> > osssec.conf(agent test_PC): >> >> >>> >>> >> > >> >> >>> >>> >> >> <ossec_config> >> >> >>> >>> >> >> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <client> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <config-profile>test1</config-profile> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <server-ip>1.1.1.1</server-ip> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </client> >> >> >>> >>> >> >> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <active-response> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <disabled>no</disabled> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </active-response> >> >> >>> >>> >> >> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </ossec_config> >> >> >>> >>> >> > >> >> >>> >>> >> > >> >> >>> >>> >> > >> >> >>> >>> >> > agent.conf(server): >> >> >>> >>> >> > >> >> >>> >>> >> >> <agent_config name="test_PC"> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <syscheck> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <directories check_all="yes">D:/</directories> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </syscheck> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </agent_config> >> >> >>> >>> >> >> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <agent_config profile="test1"> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <syscheck> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <directories check_all="yes">F:/</directories> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </syscheck> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </agent_config> >> >> >>> >>> >> >> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <agent_config os="Windows"> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <syscheck> >> >> >>> >>> >> >> >> >> >>> >>> >> >> <directories check_all="yes">C:/</directories> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </syscheck> >> >> >>> >>> >> >> >> >> >>> >>> >> >> </agent_config> >> >> >>> >>> >> > >> >> >>> >>> >> > >> >> >>> >>> >> > ossec.log(agent): >> >> >>> >>> >> > >> >> >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring >> directory: >> >> >>> >>> >> >> 'D:/'. >> >> >>> >>> >> >> >> >> >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring >> directory: >> >> >>> >>> >> >> 'C:/'. >> >> >>> >>> >> > >> >> >>> >>> >> > >> >> >>> >>> >> > Disk F is not monitored. >> >> >>> >>> >> > >> >> >>> >>> >> > Equal configuration for agent under FreeBSD works fine. >> >> >>> >>> >> > >> >> >>> >>> >> > -- >> >> >>> >>> >> > >> >> >>> >>> >> >> >> >>> >>> >> You could add a bad option under that profile to see if >> it's >> >> >>> >>> >> being >> >> >>> >>> >> picked up, like monitoring a syslog file that doesn't >> actually >> >> >>> >>> >> exist. >> >> >>> >>> >> >> >> >>> >>> >> Other than that, I'd try something like: >> >> >>> >>> >> >> >> >>> >>> >> <agent_config profile="test1"> >> >> >>> >>> >> <syscheck> >> >> >>> >>> >> <directories check_all="yes">F:\.</directories> <!-- >> Notice >> >> >>> >>> >> the >> >> >>> >>> >> "." >> >> >>> >>> >> --> >> >> >>> >>> >> </syscheck> >> >> >>> >>> >> </agent_config> >> >> >>> >>> >> >> >> >>> >>> >> I can't test this at the moment, so I don't know for sure >> that >> >> >>> >>> >> it >> >> >>> >>> >> will >> >> >>> >>> >> work. >> >> >>> >>> >> >> >> >>> >>> >> > --- >> >> >>> >>> >> > You received this message because you are subscribed to >> the >> >> >>> >>> >> > Google >> >> >>> >>> >> > Groups >> >> >>> >>> >> > "ossec-list" group. >> >> >>> >>> >> > To unsubscribe from this group and stop receiving emails >> from >> >> >>> >>> >> > it, >> >> >>> >>> >> > send >> >> >>> >>> >> > an >> >> >>> >>> >> > email to [email protected]. >> >> >>> >>> >> > For more options, visit >> >> >>> >>> >> > https://groups.google.com/groups/opt_out. >> >> >>> >>> >> > >> >> >>> >>> >> > >> >> >>> >>> > >> >> >>> >>> > -- >> >> >>> >>> > >> >> >>> >>> > --- >> >> >>> >>> > You received this message because you are subscribed to the >> >> >>> >>> > Google >> >> >>> >>> > Groups >> >> >>> >>> > "ossec-list" group. >> >> >>> >>> > To unsubscribe from this group and stop receiving emails >> from >> >> >>> >>> > it, >> >> >>> >>> > send >> >> >>> >>> > an >> >> >>> >>> > email to [email protected]. >> >> >>> >>> > For more options, visit >> >> >>> >>> > https://groups.google.com/groups/opt_out. >> >> >>> >>> > >> >> >>> >>> > >> >> >>> > >> >> >>> > -- >> >> >>> > >> >> >>> > --- >> >> >>> > You received this message because you are subscribed to the >> Google >> >> >>> > Groups >> >> >>> > "ossec-list" group. >> >> >>> > To unsubscribe from this group and stop receiving emails from >> it, >> >> >>> > send >> >> >>> > an >> >> >>> > email to [email protected]. >> >> >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >>> > >> >> >>> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
