On Jun 4, 2014 5:06 PM, "pmsearle90" <[email protected]> wrote: > > Thanks for following up Dan. I apologize for not being clear... > > I am not getting the alert log on the server to recognize the insertion or removal. > I am not getting what Daniel said I should see on the server file structure. > what could I do to further troubleshoot?? > > However, FYI>> > I have just followed your suggestion from another post and changed my set-up. instead of using agent.config , I placed the command in the windows agent ossec.conf file and used the alias' that you suggested: >>
Commands should go in the ossec.conf, not agent.conf. putting it in the agent.conf requires aditional configuration on the agent. >> https://groups.google.com/d/msg/ossec-list/1t6dnbzMZzM/WwQ0RXOB3ycJ > > now I get some sign on the client side but nothing on the server side that I can see in 'alets.log' on the ossec server: > > client log: >> >> 2014/06/04 13:53:57 ossec-agent(4102): INFO: Connected to the server ( 10.1.16.26:1514). >> 2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: 'Application'. >> 2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: 'Security'. >> 2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: 'System'. >> 2014/06/04 13:53:57 ossec-agent: INFO: Monitoring full output of command(360): reg QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR >> 2014/06/04 13:53:57 ossec-agent: INFO: Started (pid: 5832). > > I just turned debugging on in the client internal_options >> >> syscheck.debug=1 > > What other debugging should I use or newbie mistake might I fix??? > thanks in advance again, > Paul > > > On Wednesday, June 4, 2014 3:26:42 PM UTC-5, pmsearle90 wrote: >> >> I have worked with OSSEC in the past and taken over in the last three months our OSSEC infrastructure, so have mercy... >> >> I am following up after reading this thread and trying to implement USB thumb drive insertion monitoring : >> >>> >>> https://groups.google.com/d/topic/ossec-list/eL2DTKSXnhI/discussion >> >> >> and trying to follow the 2.7.1 documentation from Daniel Cid on USB storage detection example for using the <check_diff /> feature: >> >>> >>> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage >> >> >> I do not get the server to add the directory to the "/diff/" subdirectory: >> >>> >>> Next create a local rule for that command: >>>> >>>> <rule id="140125" level="7"> >>>> <if_sid>530</if_sid> >>>> <match>ossec: output: 'reg QUERY</match> >>>> <check_diff /> >>>> <description>New USB device connected</description> >>>> </rule> >>> >>> Now after a few minutes you will see a directory at /var/ossec/queue/diff/[agent_name]/[rule_id] with the current snapshot of this command >> >> >> I get the following excerpt on my client side log (from service restart) and then nothing on my alert log on the server: >> >>> >>> 2014/06/04 13:10:11 ossec-agent: Exiting... >>> 2014/06/04 13:10:11 ossec-agent: Remote commands are not accepted from the manager. Ignoring it on the agent.conf >>> 2014/06/04 13:10:11 ossec-agent(1202): ERROR: Configuration error at 'shared/agent.conf'. Exiting. >>> 2014/06/04 13:10:11 ossec-execd(1350): INFO: Active response disabled. Exiting. >>> 2014/06/04 13:10:11 ossec-agent(1410): INFO: Reading authentication keys file. >>> 2014/06/04 13:10:11 ossec-agent: INFO: Assigning counter for agent AZS1901RG03: '99746:8391'. >>> 2014/06/04 13:10:11 ossec-agent: INFO: Assigning sender counter: 7:4371 >>> 2014/06/04 13:10:11 ossec-agent: INFO: Trying to connect to server ( 10.1.16.26:1514). >>> 2014/06/04 13:10:11 ossec-agent: INFO: Using IPv4 for: 10.1.16.26 . >>> 2014/06/04 13:10:11 ossec-agent: Starting syscheckd thread. >>> 2014/06/04 13:10:11 ossec-rootcheck: INFO: Started (pid: 4924). >> >> Thanks for any help in advance, >> Paul > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
