Hi dan, I could configure the path for the agents creating the file agent.conf in the server in the path /var/ossec/etc/shared
Thank you for your help. Regards El martes, 10 de abril de 2018, 16:40:02 (UTC-5), Carlos Islas escribió: > > > > El martes, 10 de abril de 2018, 16:13:21 (UTC-5), dan (ddpbsd) escribió: >> >> >> >> On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <[email protected]> wrote: >> >>> Hello to everybody, >>> >>> I´ve a problem, in my ossec server i had added new directories to check >>> or to ignore, example: >>> >>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>> <directories >>> check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories> >>> <directories check_all="yes">C:\Windows\Test</directories> >>> <directories check_all="yes">C:\Program Files >>> (x86)\ossec-agent</directories> >>> <directories check_all="yes">C:\Program Files</directories> >>> <directories check_all="yes">C:\Program Files (x86)</directories> >>> <directories check_all="yes">D:\Program Files</directories> >>> >>> <ignore>E:\Program Files (x86)\Websense\Web >>> Security\tomcat\logs</ignore> >>> >> >> >> If you added these to the server's ossec.conf, they will be checked on >> the server. To get them checked on an agent they should be added to the >> agent's ossec.conf or the agent.conf. >> >> *Sorry, one doubt, then if i want to check an specific path i need to add >> the path agent by agent?* >> > > >> >>> But im not sure that this configuration is working, because in the ossec >>> agent log dont has the registry: >>> >>> 2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. >>> 2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. >>> 2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\boot.ini': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/CONFIG.NT': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/debug.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/drwatson.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/drwtsn32.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/edlin.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/eventtriggers.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rcp.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rexec.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rsh.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/telnet.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/tftp.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/tlntsvr.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such >>> file or directory >>> 2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan. >>> >>> Somebody could help me to make sure if this configuration is correct? >>> >>> In adition, when i restart the service ossec in the server, this appear: >>> >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted... >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]:* 2018/04/10 15:15:16 >>> ossec-syscheckd: DEBUG: Starting ...* >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 20*18/04/10 15:15:16 >>> rootcheck: DEBUG: Starting ...* >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: >>> Starting queue ... >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 >>> ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'. >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd... >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: *2018/04/10 15:15:16 >>> ossec-monitord: DEBUG: Starting ..*. >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord... >>> abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed. >>> >>> This is related with the principal issue? >>> >> >> >> I'm not sure what you're trying to ask about here. >> >> >>> Regards... >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> > El martes, 10 de abril de 2018, 16:13:21 (UTC-5), dan (ddpbsd) escribió: >> >> >> >> On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <[email protected]> wrote: >> >>> Hello to everybody, >>> >>> I´ve a problem, in my ossec server i had added new directories to check >>> or to ignore, example: >>> >>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>> <directories >>> check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories> >>> <directories check_all="yes">C:\Windows\Test</directories> >>> <directories check_all="yes">C:\Program Files >>> (x86)\ossec-agent</directories> >>> <directories check_all="yes">C:\Program Files</directories> >>> <directories check_all="yes">C:\Program Files (x86)</directories> >>> <directories check_all="yes">D:\Program Files</directories> >>> >>> <ignore>E:\Program Files (x86)\Websense\Web >>> Security\tomcat\logs</ignore> >>> >> >> >> If you added these to the server's ossec.conf, they will be checked on >> the server. To get them checked on an agent they should be added to the >> agent's ossec.conf or the agent.conf. >> >> >> >>> But im not sure that this configuration is working, because in the ossec >>> agent log dont has the registry: >>> >>> 2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. >>> 2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry >>> key: >>> 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. >>> 2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. >>> 2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry >>> key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\boot.ini': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/CONFIG.NT': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/debug.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/drwatson.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/drwtsn32.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/edlin.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/eventtriggers.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rcp.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rexec.exe': No such file or directory >>> 2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/rsh.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/telnet.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/tftp.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Windows/System32/tlntsvr.exe': No such file or directory >>> 2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: >>> 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such >>> file or directory >>> 2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan. >>> >>> Somebody could help me to make sure if this configuration is correct? >>> >>> In adition, when i restart the service ossec in the server, this appear: >>> >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted... >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]:* 2018/04/10 15:15:16 >>> ossec-syscheckd: DEBUG: Starting ...* >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 20*18/04/10 15:15:16 >>> rootcheck: DEBUG: Starting ...* >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: >>> Starting queue ... >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 >>> ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'. >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd... >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: *2018/04/10 15:15:16 >>> ossec-monitord: DEBUG: Starting ..*. >>> abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord... >>> abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed. >>> >>> This is related with the principal issue? >>> >> >> >> I'm not sure what you're trying to ask about here. >> > > Sorry again, the question is, why apper Debug if i dont hav enabled or > started... i checked in internal_options.conf and using > /var/ossec/bin/ossec-control status debug > >> >>> Regards... >>> >>> Thanks dan > >> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
