[ossec-list] Re: Help needed with agent.conf

Mon, 11 Jul 2011 11:17:14 -0700 

Hi Chris,

I sent another message with the file attached, thank you for your
quick response. I double checked my file and there are no new line
chars, each element does have it's own line. Can you think of any
other reason why it still fails verify-agent-conf?

Please look at the attachment on the other e-mail if needed. Thanks!
Glenn

On Jul 11, 10:13 am, Christopher Moraes <cmoraes....@gmail.com> wrote:
> I passed this through verify-agent-conf and got no errors.  The only change
> I made was to remove new line chars, so that each XML element is on a single
> line....
>
> read more »
>
>
>
> On Mon, Jul 11, 2011 at 11:18 AM, brighamr <glennbrobe...@gmail.com> wrote:
> > I got the agents working on my win2008r2 servers using a very basic
> > agent.conf. After that worked I created a much more specific
> > agent.conf and am getting an error from verify-agent-conf which states
> > "XML error, element not closed directories line 284". I have passed my
> > file by several engineers and none of us can find any element which is
> > not closed. Can you see any problems with this agent.conf which would
> > cause this error?
>
> > <agent_config name="agent1|agent2">
> >  <syscheck>
> >   <frequency>3600</frequency>
> >   <disabled>no</disabled>
> >   <directories check_all="yes">D:\examplecustomdir</directories>
>
> >    <!-- Default files to be monitored - system32 only. -->
> >    <directories check_all="yes">%WINDIR%/win.ini</directories>
> >    <directories check_all="yes">%WINDIR%/system.ini</directories>
> >    <directories check_all="yes">C:\autoexec.bat</directories>
> >    <directories check_all="yes">C:\config.sys</directories>
> >    <directories check_all="yes">C:\boot.ini</directories>
> >    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/at.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/attrib.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/cacls.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/debug.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/edlin.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/ftp.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/net.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/net1.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/netsh.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/rcp.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/reg.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
> >    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/rexec.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/rsh.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/runas.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/sc.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/subst.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/telnet.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/tftp.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/drivers/etc</
> > directories>
> >    <directories check_all="yes">C:\Documents and Settings/All Users/
> > Start Menu/Programs/Startup</directories>
> >    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
> > ignore>
>
> >    <!-- Windows registry entries to monitor. -->
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
> > \AllFilesystemObjects</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
> > windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
> > Explorer</windows_registry>
>
> >    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> > \Services</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> > \Control\Session Manager\KnownDLLs</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> > \Control\SecurePipeServers\winreg</windows_registry>
>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> > \CurrentVersion\Run</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> > \CurrentVersion\RunOnce</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> > \CurrentVersion\RunOnceEx</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> > \CurrentVersion\URL</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> > \CurrentVersion\Policies</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
> > \CurrentVersion\Windows</windows_registry>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
> > \CurrentVersion\Winlogon</windows_registry>
>
> >    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
> > Setup\Installed Components</windows_registry>
>
> >    <!-- Windows registry entries to ignore. -->
> >    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
> > registry_ignore>
> >    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
> > \Users</registry_ignore>
> >    <registry_ignore type="sregex">\Enum$</registry_ignore>
>
> >   <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
> > \Control\Lsa\crashonauditfail*</windows_registry>
> >   <windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
> > \Control\Terminal Server\fDenyTSConnections*</windows_registry>
> >   <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
> > \CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
> >   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> > \CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
> > windows_registry>
> >   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> > \CurrentVersion\Policies\System\EnableUIADesktopToggle*</
> > windows_registry>
> >   <windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
> >   <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
> > \CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
> >   <alert_new_files>yes</alert_new_files>
> >  </syscheck>
> > </agent_config>
>
> > <agent_config name="agent3|agent4">
> >  <syscheck>
> >   <frequency>3600</frequency>
> >   <disabled>no</disabled>
> >   <directories check_all="yes">D:\customexampledir</directories>
>
> >    <!-- Default files to be monitored - system32 only. -->
> >    <directories check_all="yes">%WINDIR%/win.ini</directories>
> >    <directories check_all="yes">%WINDIR%/system.ini</directories>
> >    <directories check_all="yes">C:\autoexec.bat</directories>
> >    <directories check_all="yes">C:\config.sys</directories>
> >    <directories check_all="yes">C:\boot.ini</directories>
> >    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/at.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/attrib.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/cacls.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/debug.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/edlin.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/ftp.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/net.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/net1.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/netsh.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/rcp.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/reg.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
> >    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/rexec.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/rsh.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/runas.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/sc.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/subst.exe</
> > directories>
> >    <directories check_all="yes">%WINDIR%/System32/telnet.exe</- Hide quoted 
> > text -
>
> - Show quoted text -

Reply via email to