On Wed, Jun 4, 2014 at 5:05 PM, pmsearle90 <[email protected]> wrote: > Thanks for following up Dan. I apologize for not being clear... > > I am not getting the alert log on the server to recognize the insertion or > removal. > I am not getting what Daniel said I should see on the server file structure. > what could I do to further troubleshoot?? > > However, FYI>> > I have just followed your suggestion from another post and changed my > set-up. instead of using agent.config , I placed the command in the windows > agent ossec.conf file and used the alias' that you suggested: > > https://groups.google.com/d/msg/ossec-list/1t6dnbzMZzM/WwQ0RXOB3ycJ > > now I get some sign on the client side but nothing on the server side that > I can see in 'alets.log' on the ossec server: > > client log: > > 2014/06/04 13:53:57 ossec-agent(4102): INFO: Connected to the server > (10.1.16.26:1514). > 2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > 2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: > 'Security'. > 2014/06/04 13:53:57 ossec-agent(1951): INFO: Analyzing event log: 'System'. > 2014/06/04 13:53:57 ossec-agent: INFO: Monitoring full output of > command(360): reg QUERY > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR > 2014/06/04 13:53:57 ossec-agent: INFO: Started (pid: 5832). > > I just turned debugging on in the client internal_options > > syscheck.debug=1 >
This isn't a syscheck thing. > What other debugging should I use or newbie mistake might I fix??? Turn on the log all option on the manager. You can then monitor the archives.log file for instances of the output from your command. That will help you determine whether the match in your rule is incorrect, or if there are other issues. > thanks in advance again, > Paul > > > On Wednesday, June 4, 2014 3:26:42 PM UTC-5, pmsearle90 wrote: >> >> I have worked with OSSEC in the past and taken over in the last three >> months our OSSEC infrastructure, so have mercy... >> >> I am following up after reading this thread and trying to implement USB >> thumb drive insertion monitoring : >> >> >> https://groups.google.com/d/topic/ossec-list/eL2DTKSXnhI/discussion >> >> >> and trying to follow the 2.7.1 documentation from Daniel Cid on USB >> storage detection example for using the <check_diff /> feature: >> >> >> >> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage >> >> >> I do not get the server to add the directory to the "/diff/" subdirectory: >> >> >> Next create a local rule for that command: >> >> <rule id="140125" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'reg QUERY</match> >> <check_diff /> >> <description>New USB device connected</description> >> </rule> >> >> Now after a few minutes you will see a directory at >> /var/ossec/queue/diff/[agent_name]/[rule_id] with the current snapshot of >> this command >> >> >> I get the following excerpt on my client side log (from service restart) >> and then nothing on my alert log on the server: >> >> >> 2014/06/04 13:10:11 ossec-agent: Exiting... >> 2014/06/04 13:10:11 ossec-agent: Remote commands are not accepted from the >> manager. Ignoring it on the agent.conf >> 2014/06/04 13:10:11 ossec-agent(1202): ERROR: Configuration error at >> 'shared/agent.conf'. Exiting. >> 2014/06/04 13:10:11 ossec-execd(1350): INFO: Active response disabled. >> Exiting. >> 2014/06/04 13:10:11 ossec-agent(1410): INFO: Reading authentication keys >> file. >> 2014/06/04 13:10:11 ossec-agent: INFO: Assigning counter for agent >> AZS1901RG03: '99746:8391'. >> 2014/06/04 13:10:11 ossec-agent: INFO: Assigning sender counter: 7:4371 >> 2014/06/04 13:10:11 ossec-agent: INFO: Trying to connect to server >> (10.1.16.26:1514). >> 2014/06/04 13:10:11 ossec-agent: INFO: Using IPv4 for: 10.1.16.26 . >> 2014/06/04 13:10:11 ossec-agent: Starting syscheckd thread. >> 2014/06/04 13:10:11 ossec-rootcheck: INFO: Started (pid: 4924). >> >> Thanks for any help in advance, >> Paul > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
