Hello to everybody,

I´ve a problem, in my ossec server i had added new directories to check or 
to ignore, example:
    
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories 
check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories>
    <directories check_all="yes">C:\Windows\Test</directories>
    <directories check_all="yes">C:\Program Files 
(x86)\ossec-agent</directories>
    <directories check_all="yes">C:\Program Files</directories>
    <directories check_all="yes">C:\Program Files (x86)</directories>
    <directories check_all="yes">D:\Program Files</directories>

   <ignore>E:\Program Files (x86)\Websense\Web Security\tomcat\logs</ignore>

But im not sure that this configuration is working, because in the ossec 
agent log dont has the registry:

2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 
'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 
'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 
'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 
'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 
'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 
'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'.
2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry key: 
'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'.
2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry key: 
'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\boot.ini': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/CONFIG.NT': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/AUTOEXEC.NT': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/debug.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/drwatson.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/drwtsn32.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/edlin.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/eventtriggers.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rcp.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rexec.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/rsh.exe': No such file or directory 
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/telnet.exe': No such file or directory 
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/tftp.exe': No such file or directory 
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 
'C:\Windows/System32/tlntsvr.exe': No such file or directory 
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 
'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such 
file or directory 
2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan.

Somebody could help me to make sure if this configuration is correct?

In adition, when i restart the service ossec in the server, this appear:

abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]:* 2018/04/10 15:15:16 
ossec-syscheckd: DEBUG: Starting ...*
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 20*18/04/10 15:15:16 rootcheck: 
DEBUG: Starting ...*
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: 
Starting queue ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 
ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'.
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: *2018/04/10 15:15:16 
ossec-monitord: DEBUG: Starting ..*.
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord...
abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed.

This is related with the principal issue?

Regards...

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to