[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Cannot get agent profile working on windows (2nd try)
From: Chris H <chris.hembrow () gmail ! com>
Date: 2013-09-27 14:39:38
Message-ID: 156f92d4-75da-4b58-b135-4854df50abad () googlegroups ! com
[Download RAW message or body]
On Thursday, September 26, 2013 5:25:10 PM UTC+1, Chris H wrote:
>
>
>
> On Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote:
> >
> > On Thu, Sep 26, 2013 at 10:29 AM, Chris H <chris....@gmail.com> wrote:
> > >
> > >
> > > On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote:
> > > >
> > > > On Wed, Sep 25, 2013 at 8:18 AM, Chris H <chris....@gmail.com> wrote:
> > > > > An update to this. It appears that on Windows Server 2012 it
> > agent.conf
> > > > > doesn't work with OS either. I get this in the log files, and it's
> > not
> > > > > monitoring anything:
> > > > >
> > > > > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided
> > for
> > > > > syscheck to monitor.
> > > > > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled.
> > > > >
> > > > > Thanks
> > > > >
> > > >
> > > >
> > > > Look to see how OSSEC gets the OS information, and find out what 2012
> > > > gives. With that info we might be able to get it working.
> > >
> > >
> > > Thanks Dan. I presume I'm looking for something in the logs? I've
> > enabled
> > > debug, but not seeing anything:
> > >
> >
> > You'd have to look in the code.
> >
>
> Took a while to find the code :)
> OK, I've not done much C dev, and not for a long time, but I think it uses
> GetVersionEx. It identifies first based on major version; Vista an onwards
> are v6. Then it checks for minor version but only 0 or 1. 2012, and
> presumably Win8, return minor version 2; mine shows a Version of 6.2.9200,
> and a Name of "Microsoft Windows Server 2012 Standard".
>
> Also, the code to read the agent profile seems to be in there, but I'm not
> sure why it's failing and showing the profile as NULL. I'll try and add
> some more debug code.
>
OK, not sure whether it's me, or I've got a funny version of the code, but
I can't get it to compile either under Fedora or on Windows with mingw :(
>
> Thanks
>
>
> >
> > > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading agent configuration.
> > > 2013/09/26 15:24:07 ossec-agent Using notify time: 600 and max time to
> > > reconnect: 1800
> > > 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector
> > configuration.
> > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
> > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
> > > 2013/09/26 15:24:07 Read agent config profile name [(null)]
> > > 2013/09/26 15:24:07 [sftp] did not match agent config profile name
> > [(null)]
> > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
> > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
> > > 2013/09/26 15:24:07 Read agent config profile name [(null)]
> > > 2013/09/26 15:24:07 [dc] did not match agent config profile name
> > [(null)]
> > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
> > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
> > > 2013/09/26 15:24:07 Read agent config profile name [(null)]
> > > 2013/09/26 15:24:07 [dhcp] did not match agent config profile name
> > [(null)]
> > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
> > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
> > > 2013/09/26 15:24:07 Read agent config profile name [(null)]
> > > 2013/09/26 15:24:07 [dns] did not match agent config profile name
> > [(null)]
> > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name().
> > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01
> > > ).
> > > 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name().
> > > 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01
> > > ).
> > > 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100).
> > >
> > > Thanks.
> > >
> > > >
> > > > >
> > > > > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote:
> > > > > >
> > > > > > Sorry to resurrect an old thread, but is there any update to this?
> > I'm
> > > > > > just moving towards a centralised config, and experiencing this
> > issue.
> > > > > > referencing by OS or name, works, but by config-profile doesn't on
> > > > > > Windows.
> > > > > > I've also tried the 2.7.1 beta agent, and seeing the same issue.
> > > > > >
> > > > > > I don't know if it's relevant, but I'm seeing entries like this in
> > the
> > > > > > agent logs if I enable debug logging:
> > > > > >
> > > > > > 2013/09/25 12:40:07 Read agent config profile name [(null)]
> > > > > > 2013/09/25 12:40:07 [dhcp] did not match agent config profile name
> > > > > > [(null)]
> > > > > >
> > > > > > 2013/09/25 12:40:07 Read agent config profile name [(null)]
> > > > > > 2013/09/25 12:40:07 [dns] did not match agent config profile name
> > > > > > [(null)]
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > >
> > > > > > On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote:
> > > > > > >
> > > > > > > On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко <
> > dioer...@gmail.com>
> > > > > > > wrote:
> > > > > > > > Is it possible to add this functionality in a future version of
> > > > > > > > ossec-agent
> > > > > > > > for win?
> > > > > > > >
> > > > > > >
> > > > > > > Definitely.
> > > > > > >
> > > > > > > >
> > > > > > > > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь Андрей
> > > > > > > > Шевченко
> > > > > > > > написал:
> > > > > > > > >
> > > > > > > > > It looks like this feature was not included in the
> > > > > > > > > ossec-hids/src/win32/
> > > > > > > > > I have not found any changes in the win32 sources.
> > > > > > > > >
> > > > > > > > > среда, 27 февраля 2013 г., 2:01:56 UTC+6 пользователь dan
> > (ddpbsd)
> > > > > > > > > написал:
> > > > > > > > > >
> > > > > > > > > > On Thu, Feb 21, 2013 at 6:38 AM, Андрей Шевченко
> > > > > > > > > > <dioer...@gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > > > I tried to add a bad option and i see that it is not being
> > > > > > > > > > > picked
> > > > > > > > > > > up...
> > > > > > > > > > > Like in my example, i don't see anything related to options
> > in
> > > > > > > > > > > specific
> > > > > > > > > > > agent profile.
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > You could check the code repository to see if the commits
> > enabling
> > > > > > > > > > this functionality for unixy systems also enabled it for
> > Windows.
> > > > > > > > > >
> > > > > > > > > > > вторник, 19 февраля 2013 г., 23:15:44 UTC+6 пользователь dan
> > > > > > > > > > > (ddpbsd)
> > > > > > > > > > > написал:
> > > > > > > > > > > >
> > > > > > > > > > > > On Mon, Feb 18, 2013 at 6:23 AM, Андрей Шевченко
> > > > > > > > > > > > <dioer...@gmail.com>
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > osssec.conf(agent test_PC):
> > > > > > > > > > > > >
> > > > > > > > > > > > > > <ossec_config>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <client>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <config-profile>test1</config-profile>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <server-ip>1.1.1.1</server-ip>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </client>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <active-response>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <disabled>no</disabled>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </active-response>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </ossec_config>
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > agent.conf(server):
> > > > > > > > > > > > >
> > > > > > > > > > > > > > <agent_config name="test_PC">
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <syscheck>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <directories check_all="yes">D:/</directories>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </syscheck>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </agent_config>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <agent_config profile="test1">
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <syscheck>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <directories check_all="yes">F:/</directories>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </syscheck>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </agent_config>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <agent_config os="Windows">
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <syscheck>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > <directories check_all="yes">C:/</directories>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </syscheck>
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > </agent_config>
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > ossec.log(agent):
> > > > > > > > > > > > >
> > > > > > > > > > > > > > 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring
> > directory:
> > > > > > > > > > > > > > 'D:/'.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 2013/02/18 15:41:34 ossec-agent: INFO: Monitoring
> > directory:
> > > > > > > > > > > > > > 'C:/'.
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > Disk F is not monitored.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Equal configuration for agent under FreeBSD works fine.
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > You could add a bad option under that profile to see if
> > it's
> > > > > > > > > > > > being
> > > > > > > > > > > > picked up, like monitoring a syslog file that doesn't
> > actually
> > > > > > > > > > > > exist.
> > > > > > > > > > > >
> > > > > > > > > > > > Other than that, I'd try something like:
> > > > > > > > > > > >
> > > > > > > > > > > > <agent_config profile="test1">
> > > > > > > > > > > > <syscheck>
> > > > > > > > > > > > <directories check_all="yes">F:\.</directories> <!--
> > Notice
> > > > > > > > > > > > the
> > > > > > > > > > > > "."
> > > > > > > > > > > > -->
> > > > > > > > > > > > </syscheck>
> > > > > > > > > > > > </agent_config>
> > > > > > > > > > > >
> > > > > > > > > > > > I can't test this at the moment, so I don't know for sure
> > that
> > > > > > > > > > > > it
> > > > > > > > > > > > will
> > > > > > > > > > > > work.
> > > > > > > > > > > >
> > > > > > > > > > > > > ---
> > > > > > > > > > > > > You received this message because you are subscribed to
> > the
> > > > > > > > > > > > > Google
> > > > > > > > > > > > > Groups
> > > > > > > > > > > > > "ossec-list" group.
> > > > > > > > > > > > > To unsubscribe from this group and stop receiving emails
> > from
> > > > > > > > > > > > > it,
> > > > > > > > > > > > > send
> > > > > > > > > > > > > an
> > > > > > > > > > > > > email to ossec-list+...@googlegroups.com.
> > > > > > > > > > > > > For more options, visit
> > > > > > > > > > > > > https://groups.google.com/groups/opt_out.
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > >
> > > > > > > > > > > ---
> > > > > > > > > > > You received this message because you are subscribed to the
> > > > > > > > > > > Google
> > > > > > > > > > > Groups
> > > > > > > > > > > "ossec-list" group.
> > > > > > > > > > > To unsubscribe from this group and stop receiving emails
> > from
> > > > > > > > > > > it,
> > > > > > > > > > > send
> > > > > > > > > > > an
> > > > > > > > > > > email to ossec-list+...@googlegroups.com.
> > > > > > > > > > > For more options, visit
> > > > > > > > > > > https://groups.google.com/groups/opt_out.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > > ---
> > > > > > > > You received this message because you are subscribed to the
> > Google
> > > > > > > > Groups
> > > > > > > > "ossec-list" group.
> > > > > > > > To unsubscribe from this group and stop receiving emails from
> > it,
> > > > > > > > send
> > > > > > > > an
> > > > > > > > email to ossec-list+...@googlegroups.com.
> > > > > > > > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > > > > > > >
> > > > > > > >
> > > > >
> > > > > --
> > > > >
> > > > > ---
> > > > > You received this message because you are subscribed to the Google
> > > > > Groups
> > > > > "ossec-list" group.
> > > > > To unsubscribe from this group and stop receiving emails from it,
> > send
> > > > > an
> > > > > email to ossec-list+...@googlegroups.com.
> > > > > For more options, visit https://groups.google.com/groups/opt_out.
> > >
> > > --
> > >
> > > ---
> > > You received this message because you are subscribed to the Google
> > Groups
> > > "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > an
> > > email to ossec-list+...@googlegroups.com.
> > > For more options, visit https://groups.google.com/groups/opt_out.
> >
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/groups/opt_out.
[Attachment #3 (text/html)]
<div dir="ltr"><br><br>On Thursday, September 26, 2013 5:25:10 PM UTC+1, Chris H \
wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: \
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><div dir="ltr"><br><br>On \
Thursday, September 26, 2013 3:49:39 PM UTC+1, dan (ddpbsd) wrote:<blockquote \
class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc \
solid;padding-left:1ex">On Thu, Sep 26, 2013 at 10:29 AM, Chris H \
<<a>chris....@gmail.com</a>> wrote: <br>>
<br>>
<br>> On Thursday, September 26, 2013 2:59:08 PM UTC+1, dan (ddpbsd) wrote:
<br>>>
<br>>> On Wed, Sep 25, 2013 at 8:18 AM, Chris H \
<<a>chris....@gmail.com</a>> wrote: <br>>> > An update to this. \
It appears that on Windows Server 2012 it agent.conf <br>>> > doesn't \
work with OS either. I get this in the log files, and it's not <br>>> \
> monitoring anything: <br>>> >
<br>>> > 2013/09/25 13:16:49 ossec-agent(1702): INFO: No directory provided \
for <br>>> > syscheck to monitor.
<br>>> > 2013/09/25 13:16:49 ossec-agent: WARN: Syscheck disabled.
<br>>> >
<br>>> > Thanks
<br>>> >
<br>>>
<br>>>
<br>>> Look to see how OSSEC gets the OS information, and find out what 2012
<br>>> gives. With that info we might be able to get it working.
<br>>
<br>>
<br>> Thanks Dan. I presume I'm looking for something in the logs? I've \
enabled <br>> debug, but not seeing anything:
<br>>
<br>
<br>You'd have to look in the code.
<br></blockquote><div><br>Took a while to find the code :)<br>OK, I've not done much \
C dev, and not for a long time, but I think it uses GetVersionEx. It identifies \
first based on major version; Vista an onwards are v6. Then it checks for minor \
version but only 0 or 1. 2012, and presumably Win8, return minor version 2; \
mine shows a Version of 6.2.9200, and a Name of "Microsoft Windows Server 2012 \
Standard".<br><br>Also, the code to read the agent profile seems to be in there, but \
I'm not sure why it's failing and showing the profile as NULL. I'll try and add \
some more debug code.<br></div></div></blockquote><div><br>OK, not sure whether it's \
me, or I've got a funny version of the code, but I can't get it to compile either \
under Fedora or on Windows with mingw :(<br></div><blockquote class="gmail_quote" \
style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: \
1ex;"><div dir="ltr"><div><br>Thanks<br> <br></div><blockquote \
class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <br>> 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading \
agent configuration. <br>> 2013/09/26 15:24:07 ossec-agent Using notify time: 600 \
and max time to <br>> reconnect: 1800
<br>> 2013/09/26 15:24:07 ossec-agent: DEBUG: Reading logcollector configuration.
<br>> 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
<br>> 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
<br>> 2013/09/26 15:24:07 Read agent config profile name [(null)]
<br>> 2013/09/26 15:24:07 [sftp] did not match agent config profile name [(null)]
<br>> 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
<br>> 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
<br>> 2013/09/26 15:24:07 Read agent config profile name [(null)]
<br>> 2013/09/26 15:24:07 [dc] did not match agent config profile name [(null)]
<br>> 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
<br>> 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
<br>> 2013/09/26 15:24:07 Read agent config profile name [(null)]
<br>> 2013/09/26 15:24:07 [dhcp] did not match agent config profile name [(null)]
<br>> 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_profile().
<br>> 2013/09/26 15:24:07 ossec-agent: os_read_agent_profile() = [(null)]
<br>> 2013/09/26 15:24:07 Read agent config profile name [(null)]
<br>> 2013/09/26 15:24:07 [dns] did not match agent config profile name [(null)]
<br>> 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name().
<br>> 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01
<br>> ).
<br>> 2013/09/26 15:24:07 ossec-agent: calling os_read_agent_name().
<br>> 2013/09/26 15:24:07 ossec-agent: os_read_agent_name returned (W-DC-01
<br>> ).
<br>> 2013/09/26 15:24:07 ossec-execd: INFO: Started (pid: 4100).
<br>>
<br>> Thanks.
<br>>
<br>>>
<br>>> >
<br>>> > On Wednesday, September 25, 2013 12:41:31 PM UTC+1, Chris H wrote:
<br>>> >>
<br>>> >> Sorry to resurrect an old thread, but is there any update to \
this? I'm <br>>> >> just moving towards a centralised config, and \
experiencing this issue. <br>>> >> referencing by OS or name, works, but \
by config-profile doesn't on <br>>> >> Windows.
<br>>> >> I've also tried the 2.7.1 beta agent, and seeing the same \
issue. <br>>> >>
<br>>> >> I don't know if it's relevant, but I'm seeing entries like this \
in the <br>>> >> agent logs if I enable debug logging:
<br>>> >>
<br>>> >> 2013/09/25 12:40:07 Read agent config profile name [(null)]
<br>>> >> 2013/09/25 12:40:07 [dhcp] did not match agent config profile \
name <br>>> >> [(null)]
<br>>> >>
<br>>> >> 2013/09/25 12:40:07 Read agent config profile name [(null)]
<br>>> >> 2013/09/25 12:40:07 [dns] did not match agent config profile \
name <br>>> >> [(null)]
<br>>> >>
<br>>> >> Thanks
<br>>> >>
<br>>> >>
<br>>> >> On Tuesday, March 5, 2013 11:19:31 PM UTC, dan (ddpbsd) wrote:
<br>>> >>>
<br>>> >>> On Tue, Mar 5, 2013 at 12:49 AM, Андрей Шевченко \
<<a>dioer...@gmail.com</a>> <br>>> >>> wrote:
<br>>> >>> > Is it possible to add this functionality in a future \
version of <br>>> >>> > ossec-agent
<br>>> >>> > for win?
<br>>> >>> >
<br>>> >>>
<br>>> >>> Definitely.
<br>>> >>>
<br>>> >>> >
<br>>> >>> > среда, 27 февраля 2013 г., 10:11:21 UTC+6 пользователь \
Андрей <br>>> >>> > Шевченко
<br>>> >>> > написал:
<br>>> >>> >>
<br>>> >>> >> It looks like this feature was not included in the
<br>>> >>> >> ossec-hids/src/win32/
<br>>> >>> >> I have not found any changes in the win32 sources.
<br>>> >>> >>
<br>>> >>> >> среда, 27 февраля 2013 г., 2:01:56 UTC+6 \
пользователь dan (ddpbsd) <br>>> >>> >> написал:
<br>>> >>> >>>
<br>>> >>> >>> On Thu, Feb 21, 2013 at 6:38 AM, Андрей \
Шевченко <br>>> >>> >>> <<a>dioer...@gmail.com</a>>
<br>>> >>> >>> wrote:
<br>>> >>> >>> > I tried to add a bad option and i see \
that it is not being <br>>> >>> >>> > picked
<br>>> >>> >>> > up...
<br>>> >>> >>> > Like in my example, i don't see anything \
related to options in <br>>> >>> >>> > specific
<br>>> >>> >>> > agent profile.
<br>>> >>> >>> >
<br>>> >>> >>>
<br>>> >>> >>> You could check the code repository to see if \
the commits enabling <br>>> >>> >>> this functionality for \
unixy systems also enabled it for Windows. <br>>> >>> >>>
<br>>> >>> >>> > вторник, 19 февраля 2013 г., 23:15:44 \
UTC+6 пользователь dan <br>>> >>> >>> > (ddpbsd)
<br>>> >>> >>> > написал:
<br>>> >>> >>> >>
<br>>> >>> >>> >> On Mon, Feb 18, 2013 at 6:23 AM, \
Андрей Шевченко <br>>> >>> >>> >> \
<<a>dioer...@gmail.com</a>> <br>>> >>> >>> >> \
wrote: <br>>> >>> >>> >> > osssec.conf(agent \
test_PC): <br>>> >>> >>> >> >
<br>>> >>> >>> >> >> <ossec_config>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <client>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> \
<config-profile>test1</config-<wbr>profile> <br>>> >>> \
>>> >> >> <br>>> >>> >>> >> \
>> <server-ip>1.1.1.1</server-<wbr>ip> <br>>> \
>>> >>> >> >> <br>>> >>> >>> \
>> >> </client> <br>>> >>> >>> >> \
>> <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <active-response>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> \
<disabled>no</disabled> <br>>> >>> >>> >> \
>> <br>>> >>> >>> >> >> \
</active-response> <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> </ossec_config>
<br>>> >>> >>> >> >
<br>>> >>> >>> >> >
<br>>> >>> >>> >> >
<br>>> >>> >>> >> > agent.conf(server):
<br>>> >>> >>> >> >
<br>>> >>> >>> >> >> <agent_config \
name="test_PC"> <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <syscheck>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <directories \
check_all="yes">D:/</<wbr>directories> <br>>> >>> \
>>> >> >> <br>>> >>> >>> >> \
>> </syscheck> <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> </agent_config>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <agent_config \
profile="test1"> <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <syscheck>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <directories \
check_all="yes">F:/</<wbr>directories> <br>>> >>> \
>>> >> >> <br>>> >>> >>> >> \
>> </syscheck> <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> </agent_config>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <agent_config \
os="Windows"> <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <syscheck>
<br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> <directories \
check_all="yes">C:/</<wbr>directories> <br>>> >>> \
>>> >> >> <br>>> >>> >>> >> \
>> </syscheck> <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> </agent_config>
<br>>> >>> >>> >> >
<br>>> >>> >>> >> >
<br>>> >>> >>> >> > ossec.log(agent):
<br>>> >>> >>> >> >
<br>>> >>> >>> >> >> 2013/02/18 15:41:34 \
ossec-agent: INFO: Monitoring directory: <br>>> >>> >>> \
>> >> 'D:/'. <br>>> >>> >>> >> >>
<br>>> >>> >>> >> >> 2013/02/18 15:41:34 \
ossec-agent: INFO: Monitoring directory: <br>>> >>> >>> \
>> >> 'C:/'. <br>>> >>> >>> >> >
<br>>> >>> >>> >> >
<br>>> >>> >>> >> > Disk F is not monitored.
<br>>> >>> >>> >> >
<br>>> >>> >>> >> > Equal configuration for agent \
under FreeBSD works fine. <br>>> >>> >>> >> >
<br>>> >>> >>> >> > --
<br>>> >>> >>> >> >
<br>>> >>> >>> >>
<br>>> >>> >>> >> You could add a bad option under that \
profile to see if it's <br>>> >>> >>> >> being
<br>>> >>> >>> >> picked up, like monitoring a syslog \
file that doesn't actually <br>>> >>> >>> >> exist.
<br>>> >>> >>> >>
<br>>> >>> >>> >> Other than that, I'd try something \
like: <br>>> >>> >>> >>
<br>>> >>> >>> >> <agent_config profile="test1">
<br>>> >>> >>> >> <syscheck>
<br>>> >>> >>> >> <directories \
check_all="yes">F:\.</<wbr>directories> <!-- Notice <br>>> \
>>> >>> >> the <br>>> >>> >>> \
>> "." <br>>> >>> >>> >> -->
<br>>> >>> >>> >> </syscheck>
<br>>> >>> >>> >> </agent_config>
<br>>> >>> >>> >>
<br>>> >>> >>> >> I can't test this at the moment, so I \
don't know for sure that <br>>> >>> >>> >> it
<br>>> >>> >>> >> will
<br>>> >>> >>> >> work.
<br>>> >>> >>> >>
<br>>> >>> >>> >> > ---
<br>>> >>> >>> >> > You received this message \
because you are subscribed to the <br>>> >>> >>> >> \
> Google <br>>> >>> >>> >> > Groups
<br>>> >>> >>> >> > "ossec-list" group.
<br>>> >>> >>> >> > To unsubscribe from this group \
and stop receiving emails from <br>>> >>> >>> >> > \
it, <br>>> >>> >>> >> > send
<br>>> >>> >>> >> > an
<br>>> >>> >>> >> > email to \
<a>ossec-list+...@googlegroups.<wbr>com</a>. <br>>> >>> >>> \
>> > For more options, visit <br>>> >>> >>> >> \
> <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/<wbr>groups/opt_out</a>. <br>>> \
>>> >>> >> > <br>>> >>> >>> \
>> > <br>>> >>> >>> >
<br>>> >>> >>> > --
<br>>> >>> >>> >
<br>>> >>> >>> > ---
<br>>> >>> >>> > You received this message because you are \
subscribed to the <br>>> >>> >>> > Google
<br>>> >>> >>> > Groups
<br>>> >>> >>> > "ossec-list" group.
<br>>> >>> >>> > To unsubscribe from this group and stop \
receiving emails from <br>>> >>> >>> > it,
<br>>> >>> >>> > send
<br>>> >>> >>> > an
<br>>> >>> >>> > email to \
<a>ossec-list+...@googlegroups.<wbr>com</a>. <br>>> >>> >>> \
> For more options, visit <br>>> >>> >>> > <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/<wbr>groups/opt_out</a>. <br>>> \
>>> >>> > <br>>> >>> >>> >
<br>>> >>> >
<br>>> >>> > --
<br>>> >>> >
<br>>> >>> > ---
<br>>> >>> > You received this message because you are subscribed \
to the Google <br>>> >>> > Groups
<br>>> >>> > "ossec-list" group.
<br>>> >>> > To unsubscribe from this group and stop receiving \
emails from it, <br>>> >>> > send
<br>>> >>> > an
<br>>> >>> > email to <a>ossec-list+...@googlegroups.<wbr>com</a>.
<br>>> >>> > For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/<wbr>groups/opt_out</a>. <br>>> \
>>> > <br>>> >>> >
<br>>> >
<br>>> > --
<br>>> >
<br>>> > ---
<br>>> > You received this message because you are subscribed to the Google
<br>>> > Groups
<br>>> > "ossec-list" group.
<br>>> > To unsubscribe from this group and stop receiving emails from it, \
send <br>>> > an
<br>>> > email to <a>ossec-list+...@googlegroups.<wbr>com</a>.
<br>>> > For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/<wbr>groups/opt_out</a>. <br>>
<br>> --
<br>>
<br>> ---
<br>> You received this message because you are subscribed to the Google Groups
<br>> "ossec-list" group.
<br>> To unsubscribe from this group and stop receiving emails from it, send an
<br>> email to <a>ossec-list+...@googlegroups.<wbr>com</a>.
<br>> For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/<wbr>groups/opt_out</a>. \
<br></blockquote></div></blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.<br /> For \
more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic