Integrity check not working for windows
107 views
Skip to first unread message
Paul_H
May 26, 2016, 12:31:07 PM5/26/16
to ossec-list
Hello, kinda new to OSSEC and have a problem with the integrity check (among some others) not sending alerts for our windows machines. I have tested it on our CentOS 7 boxes and it is working fine for them. I have read other posts here on the subject and the only thing I found was that you have to turn off UAC which we do.
In the log file I see an entry for: ossec-syscheckd: WARN: Error opening directory: '%WINDIR%/system32': No such file or directory but I am not sure how to troubleshoot this. I turned on debug and have included the logs and ossec.conf file...any suggestions would help
ro...@wazuh.com
May 27, 2016, 5:17:17 PM5/27/16
to ossec-list
Hi Paul,
You have two configurations files here:
- /var/ossec/etc/ossec.conf: which would only affect the manager local agent, this explain why are you are getting this error, It is saying you that the directory don't exist on the CentOS machine.
- /var/ossec/etc/shared/agent.conf: which will push the configuration out to the remote agents. In this case, the windows agent.
You need to configure the directories in the agents that you want to monitorize in the agent.conf file. Try to write on the agent.conf this:
<agent_config os = "Windows">
<syscheck>
<directories realtime="yes" check_all="yes">%WINDIR%/system32</directories>
<directories realtime="yes" report_changes="yes" check_all="yes">C:/Admin</directories>
</syscheck>
</agent_config>You can add more configuration for the specific agent if you want in the syscheck section too. Let me know if this worked for you!
Best,
Rocio
Paul_H
May 30, 2016, 9:31:55 AM5/30/16
to ossec-list
Hi Rocio, thanks for the reply. I created the file on the manager, included your statements, and restarted however I am still seeing the error messages that the manager is unable to open the directories:
2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory: '%WINDIR%/system32': No such file or directory
2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory: 'C:/Admin': No such file or directory
2016/05/30 08:48:12 ossec-syscheckd: INFO: Ending syscheck scan.
2016/05/30 09:03:12 ossec-syscheckd: INFO: Starting syscheck scan.
2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory: '%WINDIR%/system32': No such file or directory
2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory: 'C:/Admin': No such file or directory
2016/05/30 08:48:12 ossec-syscheckd: INFO: Ending syscheck scan.
2016/05/30 09:03:12 ossec-syscheckd: INFO: Starting syscheck scan.
dan (ddp)
May 31, 2016, 9:37:13 AM5/31/16
to ossec...@googlegroups.com
On Mon, May 30, 2016 at 9:31 AM, Paul_H <paulh...@gmail.com> wrote:
> Hi Rocio, thanks for the reply. I created the file on the manager, included
> your statements, and restarted however I am still seeing the error messages
> that the manager is unable to open the directories:
>
> 2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory:
> '%WINDIR%/system32': No such file or directory
> 2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory:
> 'C:/Admin': No such file or directory
> 2016/05/30 08:48:12 ossec-syscheckd: INFO: Ending syscheck scan.
> 2016/05/30 09:03:12 ossec-syscheckd: INFO: Starting syscheck scan.
>
The OSSEC manager is not running windows, so "%WINDIR%/system32" does
> Hi Rocio, thanks for the reply. I created the file on the manager, included
> your statements, and restarted however I am still seeing the error messages
> that the manager is unable to open the directories:
>
> 2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory:
> '%WINDIR%/system32': No such file or directory
> 2016/05/30 08:47:50 ossec-syscheckd: WARN: Error opening directory:
> 'C:/Admin': No such file or directory
> 2016/05/30 08:48:12 ossec-syscheckd: INFO: Ending syscheck scan.
> 2016/05/30 09:03:12 ossec-syscheckd: INFO: Starting syscheck scan.
>
not make sense there.
Add that entry to the Windows agent's ossec.conf and restart the service.
>
>
> On Thursday, May 26, 2016 at 12:31:07 PM UTC-4, Paul_H wrote:
>>
>> Hello, kinda new to OSSEC and have a problem with the integrity check
>> (among some others) not sending alerts for our windows machines. I have
>> tested it on our CentOS 7 boxes and it is working fine for them. I have read
>> other posts here on the subject and the only thing I found was that you have
>> to turn off UAC which we do.
>> In the log file I see an entry for: ossec-syscheckd: WARN: Error opening
>> directory: '%WINDIR%/system32': No such file or directory but I am not sure
>> how to troubleshoot this. I turned on debug and have included the logs and
>> ossec.conf file...any suggestions would help
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
ro...@wazuh.com
Jun 2, 2016, 2:21:34 PM6/2/16
to ossec-list
Hi Paul,
Sorry about the delay on my answer.
Sometimes you need to wait a little bit for the agent to get the configuration (agent.conf). Check if you have the last version of your agent.conf in the agent.
Did you remove those lines from the ossec.conf on the manager?
As Dan said, you can add it to agent's ossec.conf instead of add it to the agent.conf on the manager
Reply all
Reply to author
Forward
0 new messages