Eh, nevermind. The issue is in the XML I posted for my etc/shared/ agent.conf. My final close tag was "<agent_config>" instead of "</ agent_config>". Thanks to Michael Starks for suggesting I run bin/ verify-agent-conf.
Though the documentation on this binary is empty (http://www.ossec.net/ doc/programs/verify-agent-conf.html), it looks like this binary checks the syntax of your configuration file. It must be run from the OSSEC Manager. [root@ossec-manager ~]# cd /var/ossec [root@ossec-manager ossec]# bin/verify-agent-conf 2011/05/18 15:55:13 ossec-config(1226): ERROR: Error reading XML file '/var/ossec/etc/shared/agent.conf': XML ERR: End of file and some elements were not closed (line 73). Thanks for your input! On May 18, 1:48 pm, "dan (ddp)" <[email protected]> wrote: > Using the agent.conf for syscheck works for me on the agents (it does > not work on the manager). > Make sure the agent.conf has been transferred to the agents. > Make sure the permissions make it readable by the agents. > Is the agent.conf below the entirety of your agent.conf? Did you > copy/paste it from an ossec.conf? Simple typos can cause havoc in the > agent.conf. > > > > > > > > On Wed, May 18, 2011 at 10:04 AM, Michael Altfield <[email protected]> > wrote: > > Hi list, > > > Has anyone gotten syscheck to work when using the Centralized > > Configuration file for defining <syscheck />? No matter what I tried, > > I keep getting > > > ================================================================================ > > ... > > ossec-syscheckd(1702): INFO: No directory provided for syscheck to > > monitor. > > ossec-syscheckd: WARN: Syscheck disabled. > > ... > > ================================================================================ > > > messages when I restart ossec. > > > Here's my agent's etc/ossec.conf: > > ================================================================================ > > <ossec_config> > > <client> > > <server-ip>10.0.0.1</server-ip> > > </client> > > </ossec_config> > > ================================================================================ > > > Here's my etc/shared/agent.conf: > > ================================================================================ > > <agent_config> > > <syscheck> > > <!-- Frequency that syscheck is executed - default to every 22 > > hours --> > > <frequency>79200</frequency> > > > <!-- Directories to check (perform all possible verifications) -- > > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > <directories check_all="yes">/datalex</directories> > > > <!-- Files/directories to ignore --> > > <ignore>/etc/mtab</ignore> > > <ignore>/etc/mnttab</ignore> > > <ignore>/etc/hosts.deny</ignore> > > <ignore>/etc/mail/statistics</ignore> > > <ignore>/etc/random-seed</ignore> > > <ignore>/etc/adjtime</ignore> > > <ignore>/etc/httpd/logs</ignore> > > <ignore>/etc/utmpx</ignore> > > <ignore>/etc/wtmpx</ignore> > > <ignore>/etc/cups/certs</ignore> > > <ignore>/etc/dumpdates</ignore> > > <ignore>/etc/svc/volatile</ignore> > > > <!-- Windows files to ignore --> > > <ignore>C:\WINDOWS/System32/LogFiles</ignore> > > <ignore>C:\WINDOWS/Debug</ignore> > > <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> > > <ignore>C:\WINDOWS/iis6.log</ignore> > > <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> > > <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> > > <ignore>C:\WINDOWS/Prefetch</ignore> > > <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> > > <ignore>C:\WINDOWS/SoftwareDistribution</ignore> > > <ignore>C:\WINDOWS/Temp</ignore> > > <ignore>C:\WINDOWS/system32/config</ignore> > > <ignore>C:\WINDOWS/system32/spool</ignore> > > <ignore>C:\WINDOWS/system32/CatRoot</ignore> > > </syscheck> > > <agent_config> > > ================================================================================ > > > TIA > > -Michael
