I have ossec setup to monitor D:\farm where an ear file is deployed.
When the ear file is redeployed (ie new code is pushed), I am not
getting an alert or anything in the log. If I bounce the agent, I get
an alert that it has been bounced. I am using a shared config and
verified the agent.conf is being copied to the server. Any ideas on
why I am not getting a log or alert?
My config is below:
<agent_config name="server124">
<localfile>
<location>\ossec-agent\ossec.log</location>
<log_format>syslog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<alert_new_files>yes</alert_new_files>
<frequency>3600</frequency>
<disabled>no</disabled>
<directories realtime="yes"
check_all="yes">D:\farm</directories>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\OssecSvc</windows_registry>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</agent_config>
The output of my agent log is below:
Started (pid: 5280).
Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\OssecSvc'.
Monitoring directory: 'D:\farm'.
Started (pid: 5280).
Connected to the server (192.168.1.11:1514).
Analyzing file: '\ossec-agent\ossec.log'.
Started (pid: 5280).
Starting syscheck scan (forwarding database).
Starting syscheck database (pre-scan).
Initializing real time file monitoring (not started).
Finished creating syscheck database (pre-scan completed).
Ending syscheck scan (forwarding database).
Starting real time file monitoring.
Starting rootcheck scan.
No winaudit file configured.
No winapps file configured.
Ending rootcheck scan.
Starting syscheck scan.
Ending syscheck scan.
