On Thu, Sep 26, 2013 at 10:29 AM, Chris H <chris.hemb...@gmail.com> wrote: > > > On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: >> >> On Wed, Sep 25, 2013 at 8:18 AM, Chris H <chris....@gmail.com> wrote: >> > An update to this. It appears that on Windows Server 2012 it agent.conf >> > doesn't work with OS either. I get this in the log files, and it's not >> > monitoring anything: >> > >> > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for >> > syscheck to monitor. >> > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. >> > >> > Thanks >> > >> >> >> Look to see how OSSEC gets the OS information, and find out what 2012 >> gives. With that info we might be able to get it working. > > > Thanks Dan. I presume I'm looking for something in the logs? I've enabled > debug, but not seeing anything: >
You'd have to look in the code. > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. > 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to > reconnect: 1800 > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration. > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] > 2013/09/26 15:24:07 Read agent config profile name [(null)] > 2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)] > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] > 2013/09/26 15:24:07 Read agent config profile name [(null)] > 2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)] > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] > 2013/09/26 15:24:07 Read agent config profile name [(null)] > 2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)] > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] > 2013/09/26 15:24:07 Read agent config profile name [(null)] > 2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)] > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 > ). > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 > ). > 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). > > Thanks. > >> >> > >> > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: >> >> >> >> Sorry to resurrect an old thread, but is there any update to this? I'm >> >> just moving towards a centralised config, and experiencing this issue. >> >> referencing by OS or name, works, but by config-profile doesn't on >> >> Windows. >> >> I've also tried the 2.7.1 beta agent, and seeing the same issue. >> >> >> >> I don't know if it's relevant, but I'm seeing entries like this in the >> >> agent logs if I enable debug logging: >> >> >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] >> >> 2013/09/25 12:40:07 [dhcp] did not match agent config profile name >> >> [(null)] >> >> >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] >> >> 2013/09/25 12:40:07 [dns] did not match agent config profile name >> >> [(null)] >> >> >> >> Thanks >> >> >> >> >> >> On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: >> >>> >> >>> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко <dioer...@gmail.com> >> >>> wrote: >> >>> > Is it possible to add this functionality in a future version of >> >>> > ossec-agent >> >>> > for win? >> >>> > >> >>> >> >>> Definitely. >> >>> >> >>> > >> >>> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей >> >>> > Шевченко >> >>> > написал: >> >>> >> >> >>> >> It looks like this feature was not included in the >> >>> >> ossec-hids/src/win32/ >> >>> >> I have not found any changes in the win32 sources. >> >>> >> >> >>> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) >> >>> >> написал: >> >>> >>> >> >>> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко >> >>> >>> <dioer...@gmail.com> >> >>> >>> wrote: >> >>> >>> > I tried to add a bad option and i see that it is not being >> >>> >>> > picked >> >>> >>> > up... >> >>> >>> > Like in my example, i don't see anything related to options in >> >>> >>> > specific >> >>> >>> > agent profile. >> >>> >>> > >> >>> >>> >> >>> >>> You could check the code repository to see if the commits enabling >> >>> >>> this functionality for unixy systems also enabled it for Windows. >> >>> >>> >> >>> >>> > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan >> >>> >>> > (ddpbsd) >> >>> >>> > написал: >> >>> >>> >> >> >>> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко >> >>> >>> >> <dioer...@gmail.com> >> >>> >>> >> wrote: >> >>> >>> >> > osssec.conf(agent test_PC): >> >>> >>> >> > >> >>> >>> >> >> <ossec_config> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> <client> >> >>> >>> >> >> >> >>> >>> >> >> <config-profile>test1</config-profile> >> >>> >>> >> >> >> >>> >>> >> >> <server-ip>1.1.1.1</server-ip> >> >>> >>> >> >> >> >>> >>> >> >> </client> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> <active-response> >> >>> >>> >> >> >> >>> >>> >> >> <disabled>no</disabled> >> >>> >>> >> >> >> >>> >>> >> >> </active-response> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> </ossec_config> >> >>> >>> >> > >> >>> >>> >> > >> >>> >>> >> > >> >>> >>> >> > agent.conf(server): >> >>> >>> >> > >> >>> >>> >> >> <agent_config name="test_PC"> >> >>> >>> >> >> >> >>> >>> >> >> <syscheck> >> >>> >>> >> >> >> >>> >>> >> >> <directories check_all="yes">D:/</directories> >> >>> >>> >> >> >> >>> >>> >> >> </syscheck> >> >>> >>> >> >> >> >>> >>> >> >> </agent_config> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> <agent_config profile="test1"> >> >>> >>> >> >> >> >>> >>> >> >> <syscheck> >> >>> >>> >> >> >> >>> >>> >> >> <directories check_all="yes">F:/</directories> >> >>> >>> >> >> >> >>> >>> >> >> </syscheck> >> >>> >>> >> >> >> >>> >>> >> >> </agent_config> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> <agent_config os="Windows"> >> >>> >>> >> >> >> >>> >>> >> >> <syscheck> >> >>> >>> >> >> >> >>> >>> >> >> <directories check_all="yes">C:/</directories> >> >>> >>> >> >> >> >>> >>> >> >> </syscheck> >> >>> >>> >> >> >> >>> >>> >> >> </agent_config> >> >>> >>> >> > >> >>> >>> >> > >> >>> >>> >> > ossec.log(agent): >> >>> >>> >> > >> >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: >> >>> >>> >> >> 'D:/'. >> >>> >>> >> >> >> >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: >> >>> >>> >> >> 'C:/'. >> >>> >>> >> > >> >>> >>> >> > >> >>> >>> >> > Disk F is not monitored. >> >>> >>> >> > >> >>> >>> >> > Equal configuration for agent under FreeBSD works fine. >> >>> >>> >> > >> >>> >>> >> > -- >> >>> >>> >> > >> >>> >>> >> >> >>> >>> >> You could add a bad option under that profile to see if it's >> >>> >>> >> being >> >>> >>> >> picked up, like monitoring a syslog file that doesn't actually >> >>> >>> >> exist. >> >>> >>> >> >> >>> >>> >> Other than that, I'd try something like: >> >>> >>> >> >> >>> >>> >> <agent_config profile="test1"> >> >>> >>> >> <syscheck> >> >>> >>> >> <directories check_all="yes">F:\.</directories> <!-- Notice >> >>> >>> >> the >> >>> >>> >> "." >> >>> >>> >> --> >> >>> >>> >> </syscheck> >> >>> >>> >> </agent_config> >> >>> >>> >> >> >>> >>> >> I can't test this at the moment, so I don't know for sure that >> >>> >>> >> it >> >>> >>> >> will >> >>> >>> >> work. >> >>> >>> >> >> >>> >>> >> > --- >> >>> >>> >> > You received this message because you are subscribed to the >> >>> >>> >> > Google >> >>> >>> >> > Groups >> >>> >>> >> > "ossec-list" group. >> >>> >>> >> > To unsubscribe from this group and stop receiving emails from >> >>> >>> >> > it, >> >>> >>> >> > send >> >>> >>> >> > an >> >>> >>> >> > email to ossec-list+...@googlegroups.com. >> >>> >>> >> > For more options, visit >> >>> >>> >> > https://groups.google.com/groups/opt_out. >> >>> >>> >> > >> >>> >>> >> > >> >>> >>> > >> >>> >>> > -- >> >>> >>> > >> >>> >>> > --- >> >>> >>> > You received this message because you are subscribed to the >> >>> >>> > Google >> >>> >>> > Groups >> >>> >>> > "ossec-list" group. >> >>> >>> > To unsubscribe from this group and stop receiving emails from >> >>> >>> > it, >> >>> >>> > send >> >>> >>> > an >> >>> >>> > email to ossec-list+...@googlegroups.com. >> >>> >>> > For more options, visit >> >>> >>> > https://groups.google.com/groups/opt_out. >> >>> >>> > >> >>> >>> > >> >>> > >> >>> > -- >> >>> > >> >>> > --- >> >>> > You received this message because you are subscribed to the Google >> >>> > Groups >> >>> > "ossec-list" group. >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >>> > send >> >>> > an >> >>> > email to ossec-list+...@googlegroups.com. >> >>> > For more options, visit https://groups.google.com/groups/opt_out. >> >>> > >> >>> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.