On Thu, Aug 7, 2014 at 6:41 AM, Ameya Bhatkal <[email protected]> wrote: > Hi, > > I enabled debug mode in the Ossec client machine . When I clear the windows > system and security logs, the following lines appear in the ossec.log file > of the Ossec client:- > > 2014/08/07 16:00:07 ossec-agent: WARN: Event log cleared: 'System' > > 2014/08/07 16:00:07 ossec-agent: DEBUG: Attempting to send message to > server. > > 2014/08/07 16:00:07 ossec-agent: DEBUG: Sending message to server: 'ossec: > Event log cleared: 'System'' > > 2014/08/07 16:00:11 ossec-agent: DEBUG: Attempting to send message to > server. > > But when files that are under monitoring mode are deleted, then I see the > following info in the ossec.log of the Ossec client machine:- > > 15:57:58 ossec-agent: INFO: Starting syscheck scan. > > 2014/08/07 15:57:58 ossec-agent: DEBUG: Attempting to send message to > server. > > 2014/08/07 15:57:58 ossec-agent: DEBUG: Sending message to server: 'Starting > syscheck scan.' > > 2014/08/07 15:57:58 ossec-agent: DEBUG: Starting os_winreg_check > > 2014/08/07 15:57:58 ossec-agent: WARN: Error opening directory: 'D:\Delete > Check.xls': No such file or directory > > 2014/08/07 15:58:18 ossec-agent: INFO: Ending syscheck scan. > > 2014/08/07 15:58:18 ossec-agent: DEBUG: Attempting to send message to > server. > > 2014/08/07 15:58:18 ossec-agent: DEBUG: Sending info to server (ctime2)... > > 2014/08/07 15:58:18 ossec-agent: DEBUG: Sending keep alive message. > > Hope this helps....... >
Look at the commits made after 2.8, see if there was something dealing with this committed. If there was, try that code, see if it helps. > On Wednesday, August 6, 2014 3:46:29 PM UTC+5:30, Ameya Bhatkal wrote: >> >> Hi Everyone, >> >> I have setup OSSEC 2.8 Manager using Security Onion 12.04 LTS. The Ossec >> Client agents have been installed on 6 Windows machines. >> >> I receive alerts for file additions and modifications but not when the >> monitored files are deleted. >> >> I face the following issues: >> >> Issue 1 >> >> The Ossec agent has been configured to monitor folders. If a file within >> the folder is deleted, then I do not receive any alert. Moreover the client >> ossec log does not mention that the file is missing or deleted and there is >> no entry in the alert.log file present in the Ossec Manager. >> >> Issue 2 >> >> The Ossec agent has been configured to monitor specific files. If a file >> has been deleted, the client ossec log has the following entry: >> >> "2014/08/06 15:31:58 ossec-agent: WARN: Error opening directory: >> 'C:\Delete check 2/Delete2.conf/': No such file or directory " >> >> But I do not receive any alert that a file has been deleted. The alert.log >> file present in the Ossec Server does not reflect any such event. >> >> Rule 553 is present in the ossec_rules.xml and has not been tampered with. >> >> Could you kindly help me out with the issue. Any help will be greatly >> appreciated! >> >> Thanks in advance... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
