On Wed, Oct 19, 2011 at 2:12 PM, brighamr <glennbrobe...@gmail.com> wrote: > I have a client setup with an ossec manager (v2.6) and 10 ossec agents > (v2.6) using centralized configuration (agent.conf). My agent.conf > looks like this (server names and directories sanitized for public > forum): > > <agent_config> > <syscheck> > <alert_new_files>yes</alert_new_files>
This isn't necessary on agents. This is only useful on the manager. > <frequency>3600</frequency> > <disabled>no</disabled> > </syscheck> > </agent_config> > > <agent_config name="enter_server_name"> That should be enter_agent_name, right? > <syscheck> > <directories check_all="yes">enter_custom_directory</directories> > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</ > directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</ > directories> > <directories check_all="yes">%WINDIR%/System32/at.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/attrib.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/cacls.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/debug.exe</ > directories> > <directories check_all="yes">%WINDIR%/System32/drwatson.exe</ > directories> > > <!-- Windows registry entries to monitor. --> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</ > windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</ > windows_registry> > </syscheck> > </agent_config> > > The agent's ossec.conf looks like this: > > <ossec_config> > <client> > <server-ip>999.999.999.999</server-ip> > </client> > </ossec_config> > > Everything is working as it should. The agents alert for registry > changes, new files, etc. However the frequency is not working. For > some agents when queried in agent control, they show syscheck as last > completed 22 hours ago... for others it's less than an hour ago. As I > understand it, the <agent_config> blocks should be cumulative. > > I've checked the syscheck directory and all of the db files have .cpt > files showing they completed at least once. Additionally, I checked > the md5 sum of the server agent.conf and it matches the md5 of the > agent.conf on the agents. > > Furthermore, the agent_control timestamps show that syscheck completed > within 10 minutes... with a frequency of an hour, I don't think that > should be an issue. > > Is there any reason the frequency specified (3600) is not working as > it should? Any troubleshooting steps I can perform to find out the > cause of syscheck frequency not working? > > I sincerely appreciate your response! Did you restart the OSSEC processes on the agent after it received the agent.conf?
