I´ve a problem, in my ossec server i had added new directories to check or to ignore, example:
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot,/lib,/opt,/srv</directories>
<directories check_all="yes">C:\Windows\Test</directories>
<directories check_all="yes">C:\Program Files (x86)\ossec-agent</directories>
<directories check_all="yes">C:\Program Files</directories>
<directories check_all="yes">C:\Program Files (x86)</directories>
<directories check_all="yes">D:\Program Files</directories>
But im not sure that this configuration is working, because in the ossec agent log dont has the registry:
2018/04/10 13:34:53 ossec-agent: INFO: Starting syscheck scan.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'.
2018/04/10 13:43:18 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'.
2018/04/10 13:43:47 ossec-agent(1758): ERROR: Unable to open registry key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'.
2018/04/10 13:46:24 ossec-agent(1758): ERROR: Unable to open registry key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\boot.ini': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/CONFIG.NT': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/debug.exe': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwatson.exe': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwtsn32.exe': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/edlin.exe': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/eventtriggers.exe': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rcp.exe': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rexec.exe': No such file or directory
2018/04/10 13:47:34 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rsh.exe': No such file or directory
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/telnet.exe': No such file or directory
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tftp.exe': No such file or directory
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tlntsvr.exe': No such file or directory
2018/04/10 13:47:36 ossec-agent: WARN: Error opening directory: 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such file or directory
2018/04/10 13:47:56 ossec-agent: INFO: Ending syscheck scan.
Somebody could help me to make sure if this configuration is correct?
In adition, when i restart the service ossec in the server, this appear:
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-remoted...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 ossec-syscheckd: DEBUG: Starting ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: DEBUG: Starting ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 rootcheck: Starting queue ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 ossec-syscheckd: INFO: (unix_domain) Maximum send buffer set to: '212992'.
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-syscheckd...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: 2018/04/10 15:15:16 ossec-monitord: DEBUG: Starting ...
abr 10 15:15:16 TMCVPLMT01 ossec[27132]: Started ossec-monitord...
abr 10 15:15:18 TMCVPLMT01 ossec[27132]: Completed.
This is related with the principal issue?
Regards...