On Wed, Jun 18, 2014 at 8:38 AM, <[email protected]> wrote: > Ok, here is the ossec.conf: > > > <!-- READ ME FIRST. If you are configuring OSSEC for the first time, > - try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent > - to execute it. > - > - First, add a server-ip entry with the real IP of your server. > - Second, and optionally, change the settings of the files you want > - to monitor. Look at our Manual and FAQ for more information. > - Third, start the Agent and enjoy. > - > - Example of server-ip: > - <client> <server-ip>1.2.3.4</server-ip> </client> > --> > > > <ossec_config> > > <!-- One entry for each file/Event log to monitor. --> > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > > <!-- Rootcheck - Policy monitor config --> > <rootcheck> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > </rootcheck> > > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 20 hours. It doesn't need to be higher > - on most systems and one a day should be enough. > --> > <frequency>72000</frequency> > > <!-- By default it is disabled. In the Install you must choose > - to enable it. > --> > <disabled>no</disabled> > > > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > <directories check_all="yes">%WINDIR%/System32/at.exe</directories> > <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories> > <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories> > <directories check_all="yes">%WINDIR%/System32/debug.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/drwatson.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> > <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/net.exe</directories> > <directories check_all="yes">%WINDIR%/System32/net1.exe</directories> > <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/reg.exe</directories> > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/regedt32.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories> > <directories check_all="yes">%WINDIR%/System32/runas.exe</directories> > <directories check_all="yes">%WINDIR%/System32/sc.exe</directories> > <directories check_all="yes">%WINDIR%/System32/subst.exe</directories> > <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories> > <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> > <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories> > <directories check_all="yes" realtime="yes">C:\Documents and > Settings/All Users/Start Menu/Programs/Startup</directories> > <directories check_all="yes" realtime="yes">C:\Users/Public/All > Users/Microsoft/Windows/Start Menu/Startup</directories> > <ignore > type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > > <!-- Windows registry entries to monitor. --> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > Explorer</windows_registry> > > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > Manager\KnownDLLs</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Windows</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Winlogon</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > Setup\Installed Components</windows_registry> > > > > <!-- Windows registry entries to ignore. --> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > </syscheck> > > <active-response> > <disabled>yes</disabled> > </active-response> > > </ossec_config> > > > <!-- END of Default Configuration. --> > > > <ossec_config> > <client> > <server-ip>192.168.0.250</server-ip>
Ok, that looks correct. I wonder if it's some kind of strange encoding issue (since the IP looks wrong in the log). I can't remember if you can enter the server IP in the gui or not, but if you can try typing it in again. If not, open the ossec.conf in notepad and try retyping it. If that fails, maybe upgrade to 2.8 (manager first, agent second). > </client> > </ossec_config> > > > > > > > Am Mittwoch, 18. Juni 2014 13:05:14 UTC+2 schrieb [email protected]: >> >> Hi Guys, >> >> i have a problem with the ossec-agent on windows 7. I use the appliance >> 2.7.1. The connection between the host and the server works. But my problem >> is this (see my log): >> >> >> 2014/06/18 14:53:27 ossec-agent Using notify time: 600 and max time to >> reconnect: 1800 >> >> 2014/06/18 14:53:27 ossec-execd(1350): INFO: Active response disabled. >> Exiting. >> >> 2014/06/18 14:53:27 ossec-agent(1410): INFO: Reading authentication keys >> file. >> >> 2014/06/18 14:53:27 ossec-agent: Received exit signal. >> >> 2014/06/18 14:53:27 ossec-agent: Exiting... >> >> 2014/06/18 14:53:27 ossec-agent(1237): ERROR: Invalid ip address: >> '192.16Ð.0.250'. >> >> >> >> Thanks for help:) > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
