On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote: > > On Thu, Sep 26, 2013 at 10:29 AM, Chris H <chris....@gmail.com<javascript:>> > wrote: > > > > > > On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: > >> > >> On Wed, Sep 25, 2013 at 8:18 AM, Chris H <chris....@gmail.com> wrote: > >> > An update to this. It appears that on Windows Server 2012 it > agent.conf > >> > doesn't work with OS either. I get this in the log files, and it's > not > >> > monitoring anything: > >> > > >> > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided > for > >> > syscheck to monitor. > >> > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. > >> > > >> > Thanks > >> > > >> > >> > >> Look to see how OSSEC gets the OS information, and find out what 2012 > >> gives. With that info we might be able to get it working. > > > > > > Thanks Dan. I presume I'm looking for something in the logs? I've > enabled > > debug, but not seeing anything: > > > > You'd have to look in the code. >
Took a while to find the code :) OK, I've not done much C dev, and not for a long time, but I think it uses GetVersionEx. It identifies first based on major version; Vista an onwards are v6. Then it checks for minor version but only 0 or 1. 2012, and presumably Win8, return minor version 2; mine shows a Version of 6.2.9200, and a Name of "Microsoft Windows Server 2012 Standard". Also, the code to read the agent profile seems to be in there, but I'm not sure why it's failing and showing the profile as NULL. I'll try and add some more debug code. Thanks > > > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. > > 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to > > reconnect: 1800 > > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector > configuration. > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] > > 2013/09/26 15:24:07 Read agent config profile name [(null)] > > 2013/09/26 15:24:07 [sftp] did not match agent config profile name > [(null)] > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] > > 2013/09/26 15:24:07 Read agent config profile name [(null)] > > 2013/09/26 15:24:07 [dc] did not match agent config profile name > [(null)] > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] > > 2013/09/26 15:24:07 Read agent config profile name [(null)] > > 2013/09/26 15:24:07 [dhcp] did not match agent config profile name > [(null)] > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] > > 2013/09/26 15:24:07 Read agent config profile name [(null)] > > 2013/09/26 15:24:07 [dns] did not match agent config profile name > [(null)] > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 > > ). > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 > > ). > > 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). > > > > Thanks. > > > >> > >> > > >> > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: > >> >> > >> >> Sorry to resurrect an old thread, but is there any update to this? > I'm > >> >> just moving towards a centralised config, and experiencing this > issue. > >> >> referencing by OS or name, works, but by config-profile doesn't on > >> >> Windows. > >> >> I've also tried the 2.7.1 beta agent, and seeing the same issue. > >> >> > >> >> I don't know if it's relevant, but I'm seeing entries like this in > the > >> >> agent logs if I enable debug logging: > >> >> > >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] > >> >> 2013/09/25 12:40:07 [dhcp] did not match agent config profile name > >> >> [(null)] > >> >> > >> >> 2013/09/25 12:40:07 Read agent config profile name [(null)] > >> >> 2013/09/25 12:40:07 [dns] did not match agent config profile name > >> >> [(null)] > >> >> > >> >> Thanks > >> >> > >> >> > >> >> On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: > >> >>> > >> >>> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко < > dioer...@gmail.com> > >> >>> wrote: > >> >>> > Is it possible to add this functionality in a future version of > >> >>> > ossec-agent > >> >>> > for win? > >> >>> > > >> >>> > >> >>> Definitely. > >> >>> > >> >>> > > >> >>> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей > >> >>> > Шевченко > >> >>> > написал: > >> >>> >> > >> >>> >> It looks like this feature was not included in the > >> >>> >> ossec-hids/src/win32/ > >> >>> >> I have not found any changes in the win32 sources. > >> >>> >> > >> >>> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan > (ddpbsd) > >> >>> >> написал: > >> >>> >>> > >> >>> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко > >> >>> >>> <dioer...@gmail.com> > >> >>> >>> wrote: > >> >>> >>> > I tried to add a bad option and i see that it is not being > >> >>> >>> > picked > >> >>> >>> > up... > >> >>> >>> > Like in my example, i don't see anything related to options > in > >> >>> >>> > specific > >> >>> >>> > agent profile. > >> >>> >>> > > >> >>> >>> > >> >>> >>> You could check the code repository to see if the commits > enabling > >> >>> >>> this functionality for unixy systems also enabled it for > Windows. > >> >>> >>> > >> >>> >>> > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan > >> >>> >>> > (ddpbsd) > >> >>> >>> > написал: > >> >>> >>> >> > >> >>> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко > >> >>> >>> >> <dioer...@gmail.com> > >> >>> >>> >> wrote: > >> >>> >>> >> > osssec.conf(agent test_PC): > >> >>> >>> >> > > >> >>> >>> >> >> <ossec_config> > >> >>> >>> >> >> > >> >>> >>> >> >> > >> >>> >>> >> >> <client> > >> >>> >>> >> >> > >> >>> >>> >> >> <config-profile>test1</config-profile> > >> >>> >>> >> >> > >> >>> >>> >> >> <server-ip>1.1.1.1</server-ip> > >> >>> >>> >> >> > >> >>> >>> >> >> </client> > >> >>> >>> >> >> > >> >>> >>> >> >> > >> >>> >>> >> >> <active-response> > >> >>> >>> >> >> > >> >>> >>> >> >> <disabled>no</disabled> > >> >>> >>> >> >> > >> >>> >>> >> >> </active-response> > >> >>> >>> >> >> > >> >>> >>> >> >> > >> >>> >>> >> >> </ossec_config> > >> >>> >>> >> > > >> >>> >>> >> > > >> >>> >>> >> > > >> >>> >>> >> > agent.conf(server): > >> >>> >>> >> > > >> >>> >>> >> >> <agent_config name="test_PC"> > >> >>> >>> >> >> > >> >>> >>> >> >> <syscheck> > >> >>> >>> >> >> > >> >>> >>> >> >> <directories check_all="yes">D:/</directories> > >> >>> >>> >> >> > >> >>> >>> >> >> </syscheck> > >> >>> >>> >> >> > >> >>> >>> >> >> </agent_config> > >> >>> >>> >> >> > >> >>> >>> >> >> > >> >>> >>> >> >> <agent_config profile="test1"> > >> >>> >>> >> >> > >> >>> >>> >> >> <syscheck> > >> >>> >>> >> >> > >> >>> >>> >> >> <directories check_all="yes">F:/</directories> > >> >>> >>> >> >> > >> >>> >>> >> >> </syscheck> > >> >>> >>> >> >> > >> >>> >>> >> >> </agent_config> > >> >>> >>> >> >> > >> >>> >>> >> >> > >> >>> >>> >> >> <agent_config os="Windows"> > >> >>> >>> >> >> > >> >>> >>> >> >> <syscheck> > >> >>> >>> >> >> > >> >>> >>> >> >> <directories check_all="yes">C:/</directories> > >> >>> >>> >> >> > >> >>> >>> >> >> </syscheck> > >> >>> >>> >> >> > >> >>> >>> >> >> </agent_config> > >> >>> >>> >> > > >> >>> >>> >> > > >> >>> >>> >> > ossec.log(agent): > >> >>> >>> >> > > >> >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring > directory: > >> >>> >>> >> >> 'D:/'. > >> >>> >>> >> >> > >> >>> >>> >> >> 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring > directory: > >> >>> >>> >> >> 'C:/'. > >> >>> >>> >> > > >> >>> >>> >> > > >> >>> >>> >> > Disk F is not monitored. > >> >>> >>> >> > > >> >>> >>> >> > Equal configuration for agent under FreeBSD works fine. > >> >>> >>> >> > > >> >>> >>> >> > -- > >> >>> >>> >> > > >> >>> >>> >> > >> >>> >>> >> You could add a bad option under that profile to see if it's > >> >>> >>> >> being > >> >>> >>> >> picked up, like monitoring a syslog file that doesn't > actually > >> >>> >>> >> exist. > >> >>> >>> >> > >> >>> >>> >> Other than that, I'd try something like: > >> >>> >>> >> > >> >>> >>> >> <agent_config profile="test1"> > >> >>> >>> >> <syscheck> > >> >>> >>> >> <directories check_all="yes">F:\.</directories> <!-- > Notice > >> >>> >>> >> the > >> >>> >>> >> "." > >> >>> >>> >> --> > >> >>> >>> >> </syscheck> > >> >>> >>> >> </agent_config> > >> >>> >>> >> > >> >>> >>> >> I can't test this at the moment, so I don't know for sure > that > >> >>> >>> >> it > >> >>> >>> >> will > >> >>> >>> >> work. > >> >>> >>> >> > >> >>> >>> >> > --- > >> >>> >>> >> > You received this message because you are subscribed to > the > >> >>> >>> >> > Google > >> >>> >>> >> > Groups > >> >>> >>> >> > "ossec-list" group. > >> >>> >>> >> > To unsubscribe from this group and stop receiving emails > from > >> >>> >>> >> > it, > >> >>> >>> >> > send > >> >>> >>> >> > an > >> >>> >>> >> > email to ossec-list+...@googlegroups.com. > >> >>> >>> >> > For more options, visit > >> >>> >>> >> > https://groups.google.com/groups/opt_out. > >> >>> >>> >> > > >> >>> >>> >> > > >> >>> >>> > > >> >>> >>> > -- > >> >>> >>> > > >> >>> >>> > --- > >> >>> >>> > You received this message because you are subscribed to the > >> >>> >>> > Google > >> >>> >>> > Groups > >> >>> >>> > "ossec-list" group. > >> >>> >>> > To unsubscribe from this group and stop receiving emails from > >> >>> >>> > it, > >> >>> >>> > send > >> >>> >>> > an > >> >>> >>> > email to ossec-list+...@googlegroups.com. > >> >>> >>> > For more options, visit > >> >>> >>> > https://groups.google.com/groups/opt_out. > >> >>> >>> > > >> >>> >>> > > >> >>> > > >> >>> > -- > >> >>> > > >> >>> > --- > >> >>> > You received this message because you are subscribed to the > Google > >> >>> > Groups > >> >>> > "ossec-list" group. > >> >>> > To unsubscribe from this group and stop receiving emails from it, > >> >>> > send > >> >>> > an > >> >>> > email to ossec-list+...@googlegroups.com. > >> >>> > For more options, visit https://groups.google.com/groups/opt_out. > > >> >>> > > >> >>> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
