An update to this. It appears that on Windows Server 2012 it agent.conf doesn't work with OS either. I get this in the log files, and it's not monitoring anything:
2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for syscheck to monitor. 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. Thanks On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: > > Sorry to resurrect an old thread, but is there any update to this? I'm > just moving towards a centralised config, and experiencing this issue. > referencing by OS or name, works, but by config-profile doesn't on > Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. > > I don't know if it's relevant, but I'm seeing entries like this in the > agent logs if I enable debug logging: > > 2013/09/25 12:40:07 Read agent config profile name [(null)] > 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] > > 2013/09/25 12:40:07 Read agent config profile name [(null)] > 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] > > Thanks > > > On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: >> >> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко <dioer...@gmail.com> >> wrote: >> > Is it possible to add this functionality in a future version of >> ossec-agent >> > for win? >> > >> >> Definitely. >> >> > >> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко >> > написал: >> >> >> >> It looks like this feature was not included in the >> ossec-hids/src/win32/ >> >> I have not found any changes in the win32 sources. >> >> >> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) >> >> написал: >> >>> >> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко <dioer...@gmail.com> >> >> >>> wrote: >> >>> > I tried to add a bad option and i see that it is not being picked >> up... >> >>> > Like in my example, i don't see anything related to options in >> specific >> >>> > agent profile. >> >>> > >> >>> >> >>> You could check the code repository to see if the commits enabling >> >>> this functionality for unixy systems also enabled it for Windows. >> >>> >> >>> > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan >> (ddpbsd) >> >>> > написал: >> >>> >> >> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко < >> dioer...@gmail.com> >> >>> >> wrote: >> >>> >> > osssec.conf(agent test_PC): >> >>> >> > >> >>> >> >> <ossec_config> >> >>> >> >> >> >>> >> >> >> >>> >> >> <client> >> >>> >> >> >> >>> >> >> <config-profile>test1</config-profile> >> >>> >> >> >> >>> >> >> <server-ip>1.1.1.1</server-ip> >> >>> >> >> >> >>> >> >> </client> >> >>> >> >> >> >>> >> >> >> >>> >> >> <active-response> >> >>> >> >> >> >>> >> >> <disabled>no</disabled> >> >>> >> >> >> >>> >> >> </active-response> >> >>> >> >> >> >>> >> >> >> >>> >> >> </ossec_config> >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >> > agent.conf(server): >> >>> >> > >> >>> >> >> <agent_config name="test_PC"> >> >>> >> >> >> >>> >> >> <syscheck> >> >>> >> >> >> >>> >> >> <directories check_all="yes">D:/</directories> >> >>> >> >> >> >>> >> >> </syscheck> >> >>> >> >> >> >>> >> >> </agent_config> >> >>> >> >> >> >>> >> >> >> >>> >> >> <agent_config profile="test1"> >> >>> >> >> >> >>> >> >> <syscheck> >> >>> >> >> >> >>> >> >> <directories check_all="yes">F:/</directories> >> >>> >> >> >> >>> >> >> </syscheck> >> >>> >> >> >> >>> >> >> </agent_config> >> >>> >> >> >> >>> >> >> >> >>> >> >> <agent_config os="Windows"> >> >>> >> >> >> >>> >> >> <syscheck> >> >>> >> >> >> >>> >> >> <directories check_all="yes">C:/</directories> >> >>> >> >> >> >>> >> >> </syscheck> >> >>> >> >> >> >>> >> >> </agent_config> >> >>> >> > >> >>> >> > >> >>> >> > ossec.log(agent): >> >>> >> > >> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: >> 'D:/'. >> >>> >> >> >> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: >> 'C:/'. >> >>> >> > >> >>> >> > >> >>> >> > Disk F is not monitored. >> >>> >> > >> >>> >> > Equal configuration for agent under FreeBSD works fine. >> >>> >> > >> >>> >> > -- >> >>> >> > >> >>> >> >> >>> >> You could add a bad option under that profile to see if it's being >> >>> >> picked up, like monitoring a syslog file that doesn't actually >> exist. >> >>> >> >> >>> >> Other than that, I'd try something like: >> >>> >> >> >>> >> <agent_config profile="test1"> >> >>> >> <syscheck> >> >>> >> <directories check_all="yes">F:\.</directories> <!-- Notice the >> "." >> >>> >> --> >> >>> >> </syscheck> >> >>> >> </agent_config> >> >>> >> >> >>> >> I can't test this at the moment, so I don't know for sure that it >> will >> >>> >> work. >> >>> >> >> >>> >> > --- >> >>> >> > You received this message because you are subscribed to the >> Google >> >>> >> > Groups >> >>> >> > "ossec-list" group. >> >>> >> > To unsubscribe from this group and stop receiving emails from >> it, >> >>> >> > send >> >>> >> > an >> >>> >> > email to ossec-list+...@googlegroups.com. >> >>> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >>> >> > >> >>> >> > >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> send >> >>> > an >> >>> > email to ossec-list+...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >>> > >> >>> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
