On Wed, Dec 19, 2018 at 1:46 PM <gabriel.vice...@integritas.net> wrote: > > Hi Guys, > I need a small help here since I am now on ossec. > I've been struggling for 2 days and I can't find out the problem. > > I have a windows ossec hids agent version 3.1 installed on a windows server > 2012 64 bits > > This agent is configured to send log to a remote linux server in the same > network. I can see the agent active.. > > root@xxxx:/var/ossec/logs# /var/ossec/bin/agent_control -lc > > OSSEC HIDS agent_control. List of available agents: > ID: 000, Name: xxxx(server), IP: 127.0.0.1, Active/Local > ID: 001, Name: xxxx, IP: 192.168.0.66, Active > > root@xxxx:/var/ossec/logs# > > > The only log I was getting was a log complaining about syslog message is too > long. So I disabled this rule in syslog_rules.xml > > <rule id="1003" level="13" maxsize="1025"> > <description>Non standard syslog message (size too large).</description> > </rule> > > > > Now I am not getting alerts at all. > Also I never got failed login alert, even when this rule was active. Seems > like it can communicate to the server however is not sending anything. >
Try turning the log all option on in the ossec server's ossec.conf (then restart the ossec processes). You can then check archives.log to see what the agent is sending to the server. > I tried for force it running using this command bellow, because the frequency > is for 22 hours. However still the alert.json is empty. > > /var/ossec/bin/agent_control -r -u 001 > > > > Here is the config used > > <!-- OSSEC-HIDS Win32 Agent Configuration. > - This file is composed of 3 main sections: > - - Client config - Settings to connect to the OSSEC server > - - Localfile - Files/Event logs to monitor > - - syscheck - System file/Registry entries to monitor > --> > > <!-- READ ME FIRST. If you are configuring OSSEC-HIDS for the first time, > - try to use the "Manage_Agent" tool. Go to Control Panel->OSSEC Agent > - to execute it. > - > - First, add a server-ip entry with the real IP of your server. > - Second, and optionally, change the settings of the files you want > - to monitor. Look at our Manual and FAQ for more information. > - Third, start the Agent and enjoy. > - > - Example of server-ip: > - <client> <server-ip>1.2.3.4</server-ip> </client> > --> > > <ossec_config> > > <!-- One entry for each file/Event log to monitor. --> > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > > <!-- Rootcheck - Policy monitor config --> > <rootcheck> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > </rootcheck> > > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 20 hours. It doesn't need to be higher > - on most systems and one a day should be enough. > --> > <frequency>72000</frequency> > > <!-- By default it is disabled. In the Install you must choose > - to enable it. > --> > <disabled>no</disabled> > > <!-- Default files to be monitored - system32 only. --> > <directories check_all="yes">%WINDIR%/win.ini</directories> > <directories check_all="yes">%WINDIR%/system.ini</directories> > <directories check_all="yes">C:\autoexec.bat</directories> > <directories check_all="yes">C:\config.sys</directories> > <directories check_all="yes">C:\boot.ini</directories> > > <directories check_all="yes">%WINDIR%/SysNative/at.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories> > <directories > check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/net.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories> > <directories > check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories> > <directories > check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories> > <directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories> > > <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > <directories check_all="yes">%WINDIR%/System32/at.exe</directories> > <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories> > <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories> > <directories check_all="yes">%WINDIR%/System32/debug.exe</directories> > <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories> > <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> > <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/net.exe</directories> > <directories check_all="yes">%WINDIR%/System32/net1.exe</directories> > <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/reg.exe</directories> > <directories check_all="yes">%WINDIR%/regedit.exe</directories> > <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories> > <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories> > <directories check_all="yes">%WINDIR%/System32/runas.exe</directories> > <directories check_all="yes">%WINDIR%/System32/sc.exe</directories> > <directories check_all="yes">%WINDIR%/System32/subst.exe</directories> > <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories> > <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories> > <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> > <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories> > <directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories> > <directories > check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories> > <directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories> > > <directories check_all="yes" > realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start > Menu/Programs/Startup</directories> > > <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > <!-- Windows registry entries to monitor. --> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > Explorer</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > Manager\KnownDLLs</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Windows</windows_registry> > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Winlogon</windows_registry> > > <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > Setup\Installed Components</windows_registry> > > <!-- Windows registry entries to ignore. --> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > > <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > <registry_ignore type="sregex">\Enum$</registry_ignore> > </syscheck> > > <active-response> > <disabled>no</disabled> > </active-response> > > </ossec_config> > > <!-- END of Default Configuration. --> > > <ossec_config> > <client> > <server-ip>192.168.0.201</server-ip> > </client> > </ossec_config> > > > > I see some errors on the client as well. > > 2018/12/19 11:08:07 ossec-syscheckd: WARN: Error opening directory: > 'C:\boot.ini': No such file or directory > > 2018/12/19 11:08:09 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/CONFIG.NT': No such file or directory > > 2018/12/19 11:08:09 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/debug.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/drwatson.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/drwtsn32.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/edlin.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/eventtriggers.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/rcp.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/rexec.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/rsh.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/telnet.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/tftp.exe': No such file or directory > > 2018/12/19 11:08:11 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/tlntsvr.exe': No such file or directory > > 2018/12/19 11:08:33 ossec-syscheckd: INFO: Ending syscheck scan. > > 2018/12/19 13:03:57 rootcheck: INFO: Starting rootcheck scan. > > 2018/12/19 13:03:57 INFO: Attempted to check FS status for 'C:\WINDOWS', but > we don't know how on this OS. > > 2018/12/19 13:03:57 INFO: Attempted to check FS status for 'C:\Program > Files', but we don't know how on this OS. > > 2018/12/19 13:04:02 rootcheck: INFO: Ending rootcheck scan. > > 2018/12/19 13:04:02 ossec-syscheckd: INFO: Starting syscheck scan. > > 2018/12/19 13:10:51 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: > 'System\CurrentControlSet\Services\DHCPServer\ServicePrivateData'. > > 2018/12/19 13:13:05 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'. > > 2018/12/19 13:13:05 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'. > > 2018/12/19 13:13:05 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'. > > 2018/12/19 13:13:06 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'. > > 2018/12/19 13:13:06 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'. > > 2018/12/19 13:13:06 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: > 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'. > > 2018/12/19 13:13:41 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: > 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'. > > 2018/12/19 13:16:31 ossec-syscheckd(1758): ERROR: Unable to open registry key > using 32 bit registry: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. > > 2018/12/19 13:17:42 ossec-syscheckd: WARN: Error opening directory: > 'C:\boot.ini': No such file or directory > > 2018/12/19 13:17:44 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/CONFIG.NT': No such file or directory > > 2018/12/19 13:17:44 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/debug.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/drwatson.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/drwtsn32.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/edlin.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/eventtriggers.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/rcp.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/rexec.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/rsh.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/telnet.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/tftp.exe': No such file or directory > > 2018/12/19 13:17:46 ossec-syscheckd: WARN: Error opening directory: > 'C:\Windows/System32/tlntsvr.exe': No such file or directory > > 2018/12/19 13:18:08 ossec-syscheckd: INFO: Ending syscheck scan. > > > > The 32 bits version is installed because I did not find a 64 bits version of > ossec agent for windows. > > I don't know what else to do, can you guys please help me ? Maybe point me to > some troubleshoot steps ? > > Thank you. I really appreciate any help. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
