On Wed, Sep 25, 2013 at 8:18 AM, Chris H <chris.hemb...@gmail.com> wrote: > An update to this. It appears that on Windows Server 2012 it agent.conf > doesn't work with OS either. I get this in the log files, and it's not > monitoring anything: > > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for > syscheck to monitor. > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. > > Thanks >
Look to see how OSSEC gets the OS information, and find out what 2012 gives. With that info we might be able to get it working. > > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: >> >> Sorry to resurrect an old thread, but is there any update to this? I'm >> just moving towards a centralised config, and experiencing this issue. >> referencing by OS or name, works, but by config-profile doesn't on Windows. >> I've also tried the 2.7.1 beta agent, and seeing the same issue. >> >> I don't know if it's relevant, but I'm seeing entries like this in the >> agent logs if I enable debug logging: >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] >> 2013/09/25 12:40:07 [dhcp] did not match agent config profile name >> [(null)] >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] >> 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] >> >> Thanks >> >> >> On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: >>> >>> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко <dioer...@gmail.com> >>> wrote: >>> > Is it possible to add this functionality in a future version of >>> > ossec-agent >>> > for win? >>> > >>> >>> Definitely. >>> >>> > >>> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко >>> > написал: >>> >> >>> >> It looks like this feature was not included in the >>> >> ossec-hids/src/win32/ >>> >> I have not found any changes in the win32 sources. >>> >> >>> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) >>> >> написал: >>> >>> >>> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко <dioer...@gmail.com> >>> >>> wrote: >>> >>> > I tried to add a bad option and i see that it is not being picked >>> >>> > up... >>> >>> > Like in my example, i don't see anything related to options in >>> >>> > specific >>> >>> > agent profile. >>> >>> > >>> >>> >>> >>> You could check the code repository to see if the commits enabling >>> >>> this functionality for unixy systems also enabled it for Windows. >>> >>> >>> >>> > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan >>> >>> > (ddpbsd) >>> >>> > написал: >>> >>> >> >>> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко >>> >>> >> <dioer...@gmail.com> >>> >>> >> wrote: >>> >>> >> > osssec.conf(agent test_PC): >>> >>> >> > >>> >>> >> >> <ossec_config> >>> >>> >> >> >>> >>> >> >> >>> >>> >> >> <client> >>> >>> >> >> >>> >>> >> >> <config-profile>test1</config-profile> >>> >>> >> >> >>> >>> >> >> <server-ip>1.1.1.1</server-ip> >>> >>> >> >> >>> >>> >> >> </client> >>> >>> >> >> >>> >>> >> >> >>> >>> >> >> <active-response> >>> >>> >> >> >>> >>> >> >> <disabled>no</disabled> >>> >>> >> >> >>> >>> >> >> </active-response> >>> >>> >> >> >>> >>> >> >> >>> >>> >> >> </ossec_config> >>> >>> >> > >>> >>> >> > >>> >>> >> > >>> >>> >> > agent.conf(server): >>> >>> >> > >>> >>> >> >> <agent_config name="test_PC"> >>> >>> >> >> >>> >>> >> >> <syscheck> >>> >>> >> >> >>> >>> >> >> <directories check_all="yes">D:/</directories> >>> >>> >> >> >>> >>> >> >> </syscheck> >>> >>> >> >> >>> >>> >> >> </agent_config> >>> >>> >> >> >>> >>> >> >> >>> >>> >> >> <agent_config profile="test1"> >>> >>> >> >> >>> >>> >> >> <syscheck> >>> >>> >> >> >>> >>> >> >> <directories check_all="yes">F:/</directories> >>> >>> >> >> >>> >>> >> >> </syscheck> >>> >>> >> >> >>> >>> >> >> </agent_config> >>> >>> >> >> >>> >>> >> >> >>> >>> >> >> <agent_config os="Windows"> >>> >>> >> >> >>> >>> >> >> <syscheck> >>> >>> >> >> >>> >>> >> >> <directories check_all="yes">C:/</directories> >>> >>> >> >> >>> >>> >> >> </syscheck> >>> >>> >> >> >>> >>> >> >> </agent_config> >>> >>> >> > >>> >>> >> > >>> >>> >> > ossec.log(agent): >>> >>> >> > >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: >>> >>> >> >> 'D:/'. >>> >>> >> >> >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: >>> >>> >> >> 'C:/'. >>> >>> >> > >>> >>> >> > >>> >>> >> > Disk F is not monitored. >>> >>> >> > >>> >>> >> > Equal configuration for agent under FreeBSD works fine. >>> >>> >> > >>> >>> >> > -- >>> >>> >> > >>> >>> >> >>> >>> >> You could add a bad option under that profile to see if it's being >>> >>> >> picked up, like monitoring a syslog file that doesn't actually >>> >>> >> exist. >>> >>> >> >>> >>> >> Other than that, I'd try something like: >>> >>> >> >>> >>> >> <agent_config profile="test1"> >>> >>> >> <syscheck> >>> >>> >> <directories check_all="yes">F:\.</directories> <!-- Notice the >>> >>> >> "." >>> >>> >> --> >>> >>> >> </syscheck> >>> >>> >> </agent_config> >>> >>> >> >>> >>> >> I can't test this at the moment, so I don't know for sure that it >>> >>> >> will >>> >>> >> work. >>> >>> >> >>> >>> >> > --- >>> >>> >> > You received this message because you are subscribed to the >>> >>> >> > Google >>> >>> >> > Groups >>> >>> >> > "ossec-list" group. >>> >>> >> > To unsubscribe from this group and stop receiving emails from >>> >>> >> > it, >>> >>> >> > send >>> >>> >> > an >>> >>> >> > email to ossec-list+...@googlegroups.com. >>> >>> >> > For more options, visit >>> >>> >> > https://groups.google.com/groups/opt_out. >>> >>> >> > >>> >>> >> > >>> >>> > >>> >>> > -- >>> >>> > >>> >>> > --- >>> >>> > You received this message because you are subscribed to the Google >>> >>> > Groups >>> >>> > "ossec-list" group. >>> >>> > To unsubscribe from this group and stop receiving emails from it, >>> >>> > send >>> >>> > an >>> >>> > email to ossec-list+...@googlegroups.com. >>> >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >>> > >>> >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
