we are working on 2.6
Here is the issue.
I have one Windows 2003 agent that can't talk to the server. No firewalls
Windows ossec.log
2012/08/21 10:02:06 ossec-agent: INFO: Started (pid: 5392).
2012/08/21 10:02:16 ossec-agent: WARN: Process locked. Waiting for
permission...
2012/08/21 10:02:27 ossec-agent(4101): WARN: Waiting for server reply (not
started). Tried: '144.122.190.48'.
2012/08/21 10:02:29 ossec-agent: INFO: Trying to connect to server
(144.122.190.48:1514).
2012/08/21 10:02:31 ossec-agent: Received exit signal.
2012/08/21 10:02:31 ossec-agent: Exiting...
Server
2012/08/21 10:03:13 ossec-remoted(1403): ERROR: Incorrectly formated
message from '144.122.218.24'.
Config
<!-- OSSEC Win32 Agent Configuration.
- This file is compost of 3 main sections:
- - Client config - Settings to connect to the OSSEC server.
- - Localfile - Files/Event logs to monitor.
- - syscheck - System file/Registry entries to monitor.
-->
<!-- READ ME FIRST. If you are configuring OSSEC for the first time,
- try to use the "Manage_Agent" tool. Go to control panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<!--
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
-->
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 18 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>64800</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/system32</directories>
<!-- Default files to be ignored. -->
<ignore>%WINDIR%/System32/LogFiles</ignore>
<ignore>%WINDIR%/system32/wbem/Logs</ignore>
<ignore>%WINDIR%/system32/config</ignore>
<ignore>%WINDIR%/system32/CatRoot</ignore>
<ignore>%WINDIR%/system32/wbem/Repository</ignore>
<ignore>%WINDIR%/system32/dllcache</ignore>
<ignore>%WINDIR%/system32/inetsrv/History</ignore>
<ignore>%WINDIR%/system32/winevt/Logs</ignore>
<ignore>%WINDIR%/system32/spool</ignore>
<ignore>%WINDIR%/system32/Tasks</ignore>
<ignore
type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Prefetcher</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Schedule\TaskCache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-ip>144.122.190.48</server-ip>
</client>
</ossec_config>
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
1.888.601.4440 | * michael_barr...@mgic.com
This message is intended for use only by the person(s) addressed above and
may contain privileged and confidential information. Disclosure or use of
this message by any other person is strictly prohibited. If this message
is received in error, please notify the sender immediately and delete this
message.
From:
"dan (ddp)" <ddp...@gmail.com>
To:
ossec-list@googlegroups.com
Date:
08/21/2012 09:58 AM
Subject:
Re: [ossec-list] 2.5.1
Sent by:
ossec-list@googlegroups.com
On Tue, Aug 21, 2012 at 10:52 AM, Michael Barrett
<michael_barr...@mgic.com> wrote:
>
> Anyone know where I can download version 2.5.1 server? Can only find 2.6
on
> the OSSEC site but need the 2.5.1 version.
> ____________________________________________
> Michael Barrett | Information Security Analyst - Lead | Mortgage
Guaranty
> Insurance Corporation
> 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
> 1.888.601.4440 | * michael_barr...@mgic.com
>
> This message is intended for use only by the person(s) addressed above
and
> may contain privileged and confidential information. Disclosure or use
of
> this message by any other person is strictly prohibited. If this message
is
> received in error, please notify the sender immediately and delete this
> message.
I'd start by looking in 2010.
2.6 is the latest version, and we don't encourage using anything older.
