El martes, 10 de abril de 2018, 16:13:21 (UTC-5), dan (ddpbsd) escribió: > > > > On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <sparks....@gmail.com > <javascript:>> wrote: > >> Hello to everybody, >> >> I´ve a problem, in my ossec server i had added new directories to check >> or to ignore, example: >> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories >> check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories> >> <directories check_all="yes">C:\Windows\Test</directories> >> <directories check_all="yes">C:\Program Files >> (x86)\ossec-agent</directories> >> <directories check_all="yes">C:\Program Files</directories> >> <directories check_all="yes">C:\Program Files (x86)</directories> >> <directories check_all="yes">D:\Program Files</directories> >> >> <ignore>E:\Program Files (x86)\Websense\Web >> Security\tomcat\logs</ignore> >> > > > If you added these to the server's ossec.conf, they will be checked on the > server. To get them checked on an agent they should be added to the agent's > ossec.conf or the agent.conf. > > *Sorry, one doubt, then if i want to check an specific path i need to add > the path agent by agent?* >
> >> But im not sure that this configuration is working, because in the ossec >> agent log dont has the registry: >> >> 2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. >> 2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry >> key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. >> 2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry >> key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\boot.ini': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/CONFIG.NT': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/debug.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/drwatson.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/drwtsn32.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/edlin.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/eventtriggers.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rcp.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rexec.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rsh.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/telnet.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/tftp.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/tlntsvr.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such >> file or directory >> 2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan. >> >> Somebody could help me to make sure if this configuration is correct? >> >> In adition, when i restart the service ossec in the server, this appear: >> >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted... >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]:* 2018/04/10 15:15:16 >> ossec-syscheckd: DEBUG: Starting ...* >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 20*18/04/10 15:15:16 rootcheck: >> DEBUG: Starting ...* >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: >> Starting queue ... >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 >> ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'. >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd... >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: *2018/04/10 15:15:16 >> ossec-monitord: DEBUG: Starting ..*. >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord... >> abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed. >> >> This is related with the principal issue? >> > > > I'm not sure what you're trying to ask about here. > > >> Regards... >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > El martes, 10 de abril de 2018, 16:13:21 (UTC-5), dan (ddpbsd) escribió: > > > > On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <sparks....@gmail.com > <javascript:>> wrote: > >> Hello to everybody, >> >> I´ve a problem, in my ossec server i had added new directories to check >> or to ignore, example: >> >> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> <directories >> check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories> >> <directories check_all="yes">C:\Windows\Test</directories> >> <directories check_all="yes">C:\Program Files >> (x86)\ossec-agent</directories> >> <directories check_all="yes">C:\Program Files</directories> >> <directories check_all="yes">C:\Program Files (x86)</directories> >> <directories check_all="yes">D:\Program Files</directories> >> >> <ignore>E:\Program Files (x86)\Websense\Web >> Security\tomcat\logs</ignore> >> > > > If you added these to the server's ossec.conf, they will be checked on the > server. To get them checked on an agent they should be added to the agent's > ossec.conf or the agent.conf. > > > >> But im not sure that this configuration is working, because in the ossec >> agent log dont has the registry: >> >> 2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. >> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >> key: >> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. >> 2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry >> key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. >> 2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry >> key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\boot.ini': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/CONFIG.NT': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/debug.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/drwatson.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/drwtsn32.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/edlin.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/eventtriggers.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rcp.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rexec.exe': No such file or directory >> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/rsh.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/telnet.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/tftp.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Windows/System32/tlntsvr.exe': No such file or directory >> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >> 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such >> file or directory >> 2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan. >> >> Somebody could help me to make sure if this configuration is correct? >> >> In adition, when i restart the service ossec in the server, this appear: >> >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted... >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]:* 2018/04/10 15:15:16 >> ossec-syscheckd: DEBUG: Starting ...* >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 20*18/04/10 15:15:16 rootcheck: >> DEBUG: Starting ...* >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: >> Starting queue ... >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 >> ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'. >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd... >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: *2018/04/10 15:15:16 >> ossec-monitord: DEBUG: Starting ..*. >> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord... >> abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed. >> >> This is related with the principal issue? >> > > > I'm not sure what you're trying to ask about here. > Sorry again, the question is, why apper Debug if i dont hav enabled or started... i checked in internal_options.conf and using /var/ossec/bin/ossec-control status debug > >> Regards... >> >> Thanks dan > -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
