agent.conf settings not syncing to agents

[boatjun...@gmail.com]

I'm trying to configure ossec to monitor our windows servers.

I've configured agent.conf, installed a few agents (one on Windows 2008, one on 2012r2, and one on Windows 10).

I can get the settings to sync (md5 sum of agent.conf matches what I get with agent_control), but when I restart the agent, the log shows it only looking at the settings in it's local ossec.conf.

Any help would be greatly appreciated. Here's what my agent.conf looks like:

<agent_config name="someserver">

  <localfile>

    <location>Security</location>

    <log_format>eventlog</log_format>

  </localfile>

</agent_config>

  <!-- Rootcheck - Policy monitor config -->

  <rootcheck>

    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>

    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>

    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>

  </rootcheck>

<agent_config os="windows">

   <!-- Syscheck - Integrity Checking config. -->

  <syscheck>

    <!-- Default frequency, every 20 hours. It doesn't need to be higher

      -  on most systems and one a day should be enough.

      -->

    <frequency>72000</frequency>

    <!-- By default it is disabled. In the Install you must choose

      -  to enable it.

      -->

    <disabled>no</disabled>

    <!-- Default files to be monitored - Sysnative only. -->

    <directories check_all="yes">%WINDIR%\win.ini</directories>

    <directories check_all="yes">%WINDIR%\system.ini</directories>

    <directories check_all="yes">C:\autoexec.bat</directories>

    <directories check_all="yes">C:\config.sys</directories>

    <!-- directories check_all="yes">C:\boot.ini</directories -->

    <!-- directories check_all="yes">%WINDIR%\Sysnative\CONFIG.NT</directories -->

    <!-- directories check_all="yes">%WINDIR%\Sysnative\AUTOEXEC.NT</directories -->

    <directories check_all="yes">%WINDIR%\Sysnative\at.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\attrib.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\cacls.exe</directories>

    <!-- directories check_all="yes">%WINDIR%\Sysnative\debug.exe</directories -->

    <!-- directories check_all="yes">%WINDIR%\Sysnative\drwatson.exe</directories -->

    <!-- directories check_all="yes">%WINDIR%\Sysnative\drwtsn32.exe</directories -->

    <!-- directories check_all="yes">%WINDIR%\Sysnative\edlin.exe</directories -->

    <!-- directories check_all="yes">%WINDIR%\Sysnative\eventcreate.exe</directories -->

    <directories check_all="yes">%WINDIR%\Sysnative\eventtriggers.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\ftp.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\net.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\net1.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\netsh.exe</directories>

    <!-- directories check_all="yes">%WINDIR%\Sysnative\rcp.exe</directories -->

    <directories check_all="yes">%WINDIR%\Sysnative\reg.exe</directories>

    <directories check_all="yes">%WINDIR%\regedit.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\regedt32.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\regsvr32.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\rexec.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\rsh.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\runas.exe</directories>

 <directories check_all="yes">%WINDIR%\Sysnative\drivers/etc</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\sc.exe</directories>

    <directories check_all="yes">%WINDIR%\Sysnative\subst.exe</directories>

    <!-- directories check_all="yes">%WINDIR%\Sysnative\telnet.exe</directories -->

    <!-- directories check_all="yes">%WINDIR%\Sysnative\tftp.exe</directories -->

    <!-- directories check_all="yes">%WINDIR%\Sysnative\tlntsvr.exe</directories -->

    <directories check_all="yes">%WINDIR%\Sysnative\drivers/etc</directories>

    <directories check_all="yes" realtime="yes">C:\Documents and Settings/All Users/Start Menu/Programs/Startup</directories>

    <!-- directories check_all="yes" realtime="yes">C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup</directories -->

    <directories check_all="yes" realtime="yes">C:\inetpub/somelocaldirectory</directories>

    <directories check_all="yes" realtime="yes">C:\inetpub/anotherlocaldirectory</directories>

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

    <!-- Windows registry entries to monitor. -->

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

    <!-- Windows registry entries to ignore. -->

    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>

    <registry_ignore type="sregex">\Enum$</registry_ignore>

  </syscheck>

</agent_config>

  <active-response>

    <disabled>yes</disabled>

  </active-response>

[boatjun...@gmail.com]

I think I figured it out. The syntax of that file has to be perfect. :-)

I'm not complaining because this is an awesome free product (and a huge thank you for it!), but an observation... the documentation of the agent.conf functionality could use some improvement. :-)

[dan (ddp)]

On Jun 17, 2016 6:52 PM, <boatjun...@gmail.com> wrote:
>
> I think I figured it out. The syntax of that file has to be perfect. :-)
>
> I'm not complaining because this is an awesome free product (and a huge thank you for it!), but an observation... the documentation of the agent.conf functionality could use some improvement. :-)
>>

What improvements would you like to see?

>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Victor Fernandez]

Hi.

Every setting at agent.conf needs to be inside a <agent_config> section, otherwise the configuration reader may fail. So, please relocate the tags <rootcheck> and <active_response> that are outside <agent_config> and restart the agent.

If the problem persists, enable debugging logs editing the file internal_options.conf and changing the setting windows.debug from 0 to 2 and restart the agent. This way you can see more details at the log.

Kind regards.