Directories to check and ignore directories

37 views
Skip to first unread message

Carlos Islas

unread,
Apr 10, 2018, 5:02:38 PM4/10/18
to ossec-list
Hello to everybody,

I´ve a problem, in my ossec server i had added new directories to check or to ignore, example:
    
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories>
    <directories check_all="yes">C:\Windows\Test</directories>
    <directories check_all="yes">C:\Program Files (x86)\ossec-agent</directories>
    <directories check_all="yes">C:\Program Files</directories>
    <directories check_all="yes">C:\Program Files (x86)</directories>
    <directories check_all="yes">D:\Program Files</directories>

   <ignore>E:\Program Files (x86)\Websense\Web Security\tomcat\logs</ignore>

But im not sure that this configuration is working, because in the ossec agent log dont has the registry:

2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'.
2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'.
2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\boot.ini': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/CONFIG.NT': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/debug.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwatson.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwtsn32.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/edlin.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/eventtriggers.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rcp.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rexec.exe': No such file or directory 
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rsh.exe': No such file or directory 
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/telnet.exe': No such file or directory 
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tftp.exe': No such file or directory 
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tlntsvr.exe': No such file or directory 
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such file or directory 
2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan.

Somebody could help me to make sure if this configuration is correct?

In adition, when i restart the service ossec in the server, this appear:

abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 ossec-syscheckd: DEBUG: Starting ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: DEBUG: Starting ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: Starting queue ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'.
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 ossec-monitord: DEBUG: Starting ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord...
abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed.

This is related with the principal issue?

Regards...

dan (ddp)

unread,
Apr 10, 2018, 5:13:21 PM4/10/18
to ossec...@googlegroups.com


On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <sparks....@gmail.com> wrote:
Hello to everybody,

I´ve a problem, in my ossec server i had added new directories to check or to ignore, example:
    
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories>
    <directories check_all="yes">C:\Windows\Test</directories>
    <directories check_all="yes">C:\Program Files (x86)\ossec-agent</directories>
    <directories check_all="yes">C:\Program Files</directories>
    <directories check_all="yes">C:\Program Files (x86)</directories>
    <directories check_all="yes">D:\Program Files</directories>

   <ignore>E:\Program Files (x86)\Websense\Web Security\tomcat\logs</ignore>


If you added these to the server's ossec.conf, they will be checked on the server. To get them checked on an agent they should be added to the agent's ossec.conf or the agent.conf. 
I'm not sure what you're trying to ask about here.


Regards...

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Carlos Islas

unread,
Apr 10, 2018, 5:40:02 PM4/10/18
to ossec-list


El martes, 10 de abril de 2018, 16:13:21 (UTC-5), dan (ddpbsd) escribió:


On Tue, Apr 10, 2018, 5:02 PM Carlos Islas <sparks....@gmail.com> wrote:
Hello to everybody,

I´ve a problem, in my ossec server i had added new directories to check or to ignore, example:
    
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories>
    <directories check_all="yes">C:\Windows\Test</directories>
    <directories check_all="yes">C:\Program Files (x86)\ossec-agent</directories>
    <directories check_all="yes">C:\Program Files</directories>
    <directories check_all="yes">C:\Program Files (x86)</directories>
    <directories check_all="yes">D:\Program Files</directories>

   <ignore>E:\Program Files (x86)\Websense\Web Security\tomcat\logs</ignore>


If you added these to the server's ossec.conf, they will be checked on the server. To get them checked on an agent they should be added to the agent's ossec.conf or the agent.conf. 

Sorry, one doubt, then if i want to check an specific path i need to add the path agent by agent?
Sorry again, the question is, why apper Debug if i dont hav enabled or started... i checked in internal_options.conf and using  /var/ossec/bin/ossec-control status debug

Regards...

Thanks dan 

Carlos Islas

unread,
Apr 11, 2018, 4:39:25 PM4/11/18
to ossec-list
Hi dan,

I could configure the path for the agents creating the file agent.conf in the server in the path /var/ossec/etc/shared

Thank you for your help.

Regards
Reply all
Reply to author
Forward
0 new messages