On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <[email protected]> wrote:
> Hello to everybody, > > I´ve a problem, in my ossec server i had added new directories to check or > to ignore, example: > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories > check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories> > <directories check_all="yes">C:\Windows\Test</directories> > <directories check_all="yes">C:\Program Files > (x86)\ossec-agent</directories> > <directories check_all="yes">C:\Program Files</directories> > <directories check_all="yes">C:\Program Files (x86)</directories> > <directories check_all="yes">D:\Program Files</directories> > > <ignore>E:\Program Files (x86)\Websense\Web > Security\tomcat\logs</ignore> > If you added these to the server's ossec.conf, they will be checked on the server. To get them checked on an agent they should be added to the agent's ossec.conf or the agent.conf. > But im not sure that this configuration is working, because in the ossec > agent log dont has the registry: > > 2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan. > 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. > 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. > 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. > 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. > 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. > 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. > 2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry key: > 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. > 2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry key: > 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\boot.ini': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/CONFIG.NT': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/debug.exe': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwatson.exe': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwtsn32.exe': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/edlin.exe': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/eventtriggers.exe': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rcp.exe': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rexec.exe': No such file or directory > 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rsh.exe': No such file or directory > 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/telnet.exe': No such file or directory > 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tftp.exe': No such file or directory > 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tlntsvr.exe': No such file or directory > 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: > 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such > file or directory > 2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan. > > Somebody could help me to make sure if this configuration is correct? > > In adition, when i restart the service ossec in the server, this appear: > > abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted... > abr 10 15:15:16 TMCVPLMT01 ossec[27132]:* 2018/04/10 15:15:16 > ossec-syscheckd: DEBUG: Starting ...* > abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 20*18/04/10 15:15:16 rootcheck: > DEBUG: Starting ...* > abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: > Starting queue ... > abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 > ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'. > abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd... > abr 10 15:15:16 TMCVPLMT01 ossec[27132]: *2018/04/10 15:15:16 > ossec-monitord: DEBUG: Starting ..*. > abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord... > abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed. > > This is related with the principal issue? > I'm not sure what you're trying to ask about here. > Regards... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
