Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Friday, September 27, 2013 3:39:38 PM UTC+1, Chris H wrote: On Thursday, September 26, 2013 5:25:10 PM UTC+1, Chris H wrote: On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote: On Thu, Sep 26, 2013 at 10:29 AM, Chris H chris@gmail.com wrote: On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: On Wed, Sep 25, 2013 at 8:18 AM, Chris H chris@gmail.com wrote: An update to this. It appears that on Windows Server 2012 it agent.conf doesn't work with OS either. I get this in the log files, and it's not monitoring anything: 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for syscheck to monitor. 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. Thanks Look to see how OSSEC gets the OS information, and find out what 2012 gives. With that info we might be able to get it working. Thanks Dan. I presume I'm looking for something in the logs? I've enabled debug, but not seeing anything: You'd have to look in the code. Took a while to find the code :) OK, I've not done much C dev, and not for a long time, but I think it uses GetVersionEx. It identifies first based on major version; Vista an onwards are v6. Then it checks for minor version but only 0 or 1. 2012, and presumably Win8, return minor version 2; mine shows a Version of 6.2.9200, and a Name of Microsoft Windows Server 2012 Standard. Also, the code to read the agent profile seems to be in there, but I'm not sure why it's failing and showing the profile as NULL. I'll try and add some more debug code. OK, not sure whether it's me, or I've got a funny version of the code, but I can't get it to compile either under Fedora or on Windows with mingw :( Thanks 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to reconnect: 1800 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration. 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). Thanks. On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: Sorry to resurrect an old thread, but is there any update to this? I'm just moving towards a centralised config, and experiencing this issue. referencing by OS or name, works, but by config-profile doesn't on Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. I don't know if it's relevant, but I'm seeing entries like this in the agent logs if I enable debug logging: 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] Thanks On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioer...@gmail.com wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г.,
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Thursday, September 26, 2013 5:25:10 PM UTC+1, Chris H wrote: On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote: On Thu, Sep 26, 2013 at 10:29 AM, Chris H chris@gmail.com wrote: On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: On Wed, Sep 25, 2013 at 8:18 AM, Chris H chris@gmail.com wrote: An update to this. It appears that on Windows Server 2012 it agent.conf doesn't work with OS either. I get this in the log files, and it's not monitoring anything: 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for syscheck to monitor. 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. Thanks Look to see how OSSEC gets the OS information, and find out what 2012 gives. With that info we might be able to get it working. Thanks Dan. I presume I'm looking for something in the logs? I've enabled debug, but not seeing anything: You'd have to look in the code. Took a while to find the code :) OK, I've not done much C dev, and not for a long time, but I think it uses GetVersionEx. It identifies first based on major version; Vista an onwards are v6. Then it checks for minor version but only 0 or 1. 2012, and presumably Win8, return minor version 2; mine shows a Version of 6.2.9200, and a Name of Microsoft Windows Server 2012 Standard. Also, the code to read the agent profile seems to be in there, but I'm not sure why it's failing and showing the profile as NULL. I'll try and add some more debug code. OK, not sure whether it's me, or I've got a funny version of the code, but I can't get it to compile either under Fedora or on Windows with mingw :( Thanks 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to reconnect: 1800 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration. 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). Thanks. On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: Sorry to resurrect an old thread, but is there any update to this? I'm just moving towards a centralised config, and experiencing this issue. referencing by OS or name, works, but by config-profile doesn't on Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. I don't know if it's relevant, but I'm seeing entries like this in the agent logs if I enable debug logging: 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] Thanks On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioer...@gmail.com wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu,
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Wed, Sep 25, 2013 at 8:18 AM, Chris H chris.hemb...@gmail.com wrote: An update to this. It appears that on Windows Server 2012 it agent.conf doesn't work with OS either. I get this in the log files, and it's not monitoring anything: 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for syscheck to monitor. 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. Thanks Look to see how OSSEC gets the OS information, and find out what 2012 gives. With that info we might be able to get it working. On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: Sorry to resurrect an old thread, but is there any update to this? I'm just moving towards a centralised config, and experiencing this issue. referencing by OS or name, works, but by config-profile doesn't on Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. I don't know if it's relevant, but I'm seeing entries like this in the agent logs if I enable debug logging: 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] Thanks On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioer...@gmail.com wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: On Wed, Sep 25, 2013 at 8:18 AM, Chris H chris@gmail.comjavascript: wrote: An update to this. It appears that on Windows Server 2012 it agent.conf doesn't work with OS either. I get this in the log files, and it's not monitoring anything: 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for syscheck to monitor. 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. Thanks Look to see how OSSEC gets the OS information, and find out what 2012 gives. With that info we might be able to get it working. Thanks Dan. I presume I'm looking for something in the logs? I've enabled debug, but not seeing anything: 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to reconnect: 1800 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration. 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). Thanks. On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: Sorry to resurrect an old thread, but is there any update to this? I'm just moving towards a centralised config, and experiencing this issue. referencing by OS or name, works, but by config-profile doesn't on Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. I don't know if it's relevant, but I'm seeing entries like this in the agent logs if I enable debug logging: 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] Thanks On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioer...@gmail.com wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Thu, Sep 26, 2013 at 10:29 AM, Chris H chris.hemb...@gmail.com wrote: On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: On Wed, Sep 25, 2013 at 8:18 AM, Chris H chris@gmail.com wrote: An update to this. It appears that on Windows Server 2012 it agent.conf doesn't work with OS either. I get this in the log files, and it's not monitoring anything: 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for syscheck to monitor. 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. Thanks Look to see how OSSEC gets the OS information, and find out what 2012 gives. With that info we might be able to get it working. Thanks Dan. I presume I'm looking for something in the logs? I've enabled debug, but not seeing anything: You'd have to look in the code. 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to reconnect: 1800 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration. 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). Thanks. On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: Sorry to resurrect an old thread, but is there any update to this? I'm just moving towards a centralised config, and experiencing this issue. referencing by OS or name, works, but by config-profile doesn't on Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. I don't know if it's relevant, but I'm seeing entries like this in the agent logs if I enable debug logging: 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] Thanks On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioer...@gmail.com wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote: On Thu, Sep 26, 2013 at 10:29 AM, Chris H chris@gmail.comjavascript: wrote: On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote: On Wed, Sep 25, 2013 at 8:18 AM, Chris H chris@gmail.com wrote: An update to this. It appears that on Windows Server 2012 it agent.conf doesn't work with OS either. I get this in the log files, and it's not monitoring anything: 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for syscheck to monitor. 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. Thanks Look to see how OSSEC gets the OS information, and find out what 2012 gives. With that info we might be able to get it working. Thanks Dan. I presume I'm looking for something in the logs? I've enabled debug, but not seeing anything: You'd have to look in the code. Took a while to find the code :) OK, I've not done much C dev, and not for a long time, but I think it uses GetVersionEx. It identifies first based on major version; Vista an onwards are v6. Then it checks for minor version but only 0 or 1. 2012, and presumably Win8, return minor version 2; mine shows a Version of 6.2.9200, and a Name of Microsoft Windows Server 2012 Standard. Also, the code to read the agent profile seems to be in there, but I'm not sure why it's failing and showing the profile as NULL. I'll try and add some more debug code. Thanks 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration. 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to reconnect: 1800 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration. 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)] 2013/09/26 15:24:07 Read agent config profile name [(null)] 2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)] 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name(). 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01 ). 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100). Thanks. On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: Sorry to resurrect an old thread, but is there any update to this? I'm just moving towards a centralised config, and experiencing this issue. referencing by OS or name, works, but by config-profile doesn't on Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. I don't know if it's relevant, but I'm seeing entries like this in the agent logs if I enable debug logging: 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] Thanks On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioer...@gmail.com wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
Sorry to resurrect an old thread, but is there any update to this? I'm just moving towards a centralised config, and experiencing this issue. referencing by OS or name, works, but by config-profile doesn't on Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. I don't know if it's relevant, but I'm seeing entries like this in the agent logs if I enable debug logging: 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] Thanks On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioer...@gmail.comjavascript: wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
An update to this. It appears that on Windows Server 2012 it agent.conf doesn't work with OS either. I get this in the log files, and it's not monitoring anything: 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided for syscheck to monitor. 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled. Thanks On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote: Sorry to resurrect an old thread, but is there any update to this? I'm just moving towards a centralised config, and experiencing this issue. referencing by OS or name, works, but by config-profile doesn't on Windows. I've also tried the 2.7.1 beta agent, and seeing the same issue. I don't know if it's relevant, but I'm seeing entries like this in the agent logs if I enable debug logging: 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dhcp] did not match agent config profile name [(null)] 2013/09/25 12:40:07 Read agent config profile name [(null)] 2013/09/25 12:40:07 [dns] did not match agent config profile name [(null)] Thanks On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote: On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioer...@gmail.com wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко dioeracl...@gmail.com wrote: Is it possible to add this functionality in a future version of ossec-agent for win? Definitely. среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
Is it possible to add this functionality in a future version of ossec-agent for win? среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей Шевченко написал: It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioeracl...@gmail.com wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
It looks like this feature was not included in the ossec-hids/src/win32/ I have not found any changes in the win32 sources. среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan (ddpbsd) написал: On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко dioer...@gmail.comjavascript: wrote: I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. You could check the code repository to see if the commits enabling this functionality for unixy systems also enabled it for Windows. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
I tried to add a bad option and i see that it is not being picked up... Like in my example, i don't see anything related to options in specific agent profile. вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan (ddpbsd) написал: On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioer...@gmail.comjavascript: wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко dioeracl...@gmail.com wrote: osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- You could add a bad option under that profile to see if it's being picked up, like monitoring a syslog file that doesn't actually exist. Other than that, I'd try something like: agent_config profile=test1 syscheck directories check_all=yesF:\./directories !-- Notice the . -- /syscheck /agent_config I can't test this at the moment, so I don't know for sure that it will work. --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Cannot get agent profile working on windows (2nd try)
osssec.conf(agent test_PC): ossec_config client config-profiletest1/config-profile server-ip1.1.1.1/server-ip /client active-response disabledno/disabled /active-response /ossec_config agent.conf(server): agent_config name=test_PC syscheck directories check_all=yesD://directories /syscheck /agent_config agent_config profile=test1 syscheck directories check_all=yesF://directories /syscheck /agent_config agent_config os=Windows syscheck directories check_all=yesC://directories /syscheck /agent_config ossec.log(agent): 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'D:/'. 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring directory: 'C:/'. Disk F is not monitored. Equal configuration for agent under FreeBSD works fine. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.