I'm trying to configure ossec to monitor our windows servers.
I've configured agent.conf, installed a few agents (one on Windows 2008, one on 2012r2, and one on Windows 10).
I can get the settings to sync (md5 sum of agent.conf matches what I get with agent_control), but when I restart the agent, the log shows it only looking at the settings in it's local ossec.conf.
Any help would be greatly appreciated. Here's what my agent.conf looks like:
<agent_config name="someserver">
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
</agent_config>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<agent_config os="windows">
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - Sysnative only. -->
<directories check_all="yes">%WINDIR%\win.ini</directories>
<directories check_all="yes">%WINDIR%\system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<!-- directories check_all="yes">C:\boot.ini</directories -->
<!-- directories check_all="yes">%WINDIR%\Sysnative\CONFIG.NT</directories -->
<!-- directories check_all="yes">%WINDIR%\Sysnative\AUTOEXEC.NT</directories -->
<directories check_all="yes">%WINDIR%\Sysnative\at.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\attrib.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\cacls.exe</directories>
<!-- directories check_all="yes">%WINDIR%\Sysnative\debug.exe</directories -->
<!-- directories check_all="yes">%WINDIR%\Sysnative\drwatson.exe</directories -->
<!-- directories check_all="yes">%WINDIR%\Sysnative\drwtsn32.exe</directories -->
<!-- directories check_all="yes">%WINDIR%\Sysnative\edlin.exe</directories -->
<!-- directories check_all="yes">%WINDIR%\Sysnative\eventcreate.exe</directories -->
<directories check_all="yes">%WINDIR%\Sysnative\eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\ftp.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\net.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\net1.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\netsh.exe</directories>
<!-- directories check_all="yes">%WINDIR%\Sysnative\rcp.exe</directories -->
<directories check_all="yes">%WINDIR%\Sysnative\reg.exe</directories>
<directories check_all="yes">%WINDIR%\regedit.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\regedt32.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\rexec.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\rsh.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\runas.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\drivers/etc</directories>
<directories check_all="yes">%WINDIR%\Sysnative\sc.exe</directories>
<directories check_all="yes">%WINDIR%\Sysnative\subst.exe</directories>
<!-- directories check_all="yes">%WINDIR%\Sysnative\telnet.exe</directories -->
<!-- directories check_all="yes">%WINDIR%\Sysnative\tftp.exe</directories -->
<!-- directories check_all="yes">%WINDIR%\Sysnative\tlntsvr.exe</directories -->
<directories check_all="yes">%WINDIR%\Sysnative\drivers/etc</directories>
<directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>
<!-- directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories -->
<directories check_all="yes" realtime="yes">C:\inetpub/somelocaldirectory</directories>
<directories check_all="yes" realtime="yes">C:\inetpub/anotherlocaldirectory</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</agent_config>
<active-response>
<disabled>yes</disabled>
</active-response>