ossec service in windows 10

[Diego Arranz]

Hi all,

   I´m testing wazuh server on CentOS and ossec 2.8.3 as agent in windows 10 profesional (spanish language), the problem is when i try to start the ossec service as local account, the service don´t run with error 5: acces deny error, if i setup any administrator account to run the service is all ok.

  I try to do full permissions to network service account and local services account over the folder but the error is the same (error 5: acces deny)

  

  Somebody have any idea about this problem??

Thanks in advance.

[Victor Fernandez]

Hi Diego.

How do you start the service, with the UI or from Services?

Does OSSEC print something into the file "ossec.log"?

Best regards.

Victor Fernandez.

[Victor Fernandez]

P.D.: I detected that sometimes, if I already created the group "Administrators" (for non-English Windows versions), the OSSEC grants files permissions only to the group "Administrators".

In order to start a service, executable files must have execution permissions for "SYSTEM". So, please make sure that "ossec-agent.exe" and every ".exe" file has permissions for SYSTEM. I did the following steps:

1. Open properties for directory "C:\Program Files\ossec-agent" (or "C:\Program Files (x86)\ossec-agent")
   
2. Go to tab "Security". Make sure there are permissions for "SYSTEM".
3. Now click on button "Advanced".
4. On tab "Permissions", you may have to click "Change permissions".
5. Mark box "Replace all child object permission entries with inheritable permission entries from this object". (In Spanish: "Reemplazar todas las entradas de permisos secundarios por entradas de permisos heredables de este objeto".)
6. Click "Accept" and confirm the dialog box that will appear.
7. Try to start the agent.

I hope this will be useful for you.

Best regards.

Victor Fernandez.

[Diego Arranz]

Hi

  For install ossec,

   First i create an Administrators group and add the users to this group(this user belong to Administrator local group too), then install it without error in for example "d:\ossec\ossec-agent". 

    For config the agent (ossec server and key) i use the gui and try start with this with error: "Unable to start agent(check config)". 

    If i try to start with service the error is "windows cannot start OSSEC HIDS in local computer. Error 5: Access Deny".

    If i setup the OssecSvc service with the administrator account instead of local system account all is ok.

   The permissions for the folder d:\ossec\ossec-agent are: full control to system, local service, network service, administradores group , usuarios group and Administrators group.

   When i try start with local system account  in the services no printing into ossec.log....

  I tried to uninstall and install again in other folder and change permissions but nothing...... only run when i change the service account to an user, not for local system account.

Best Regards

[Victor Fernandez]

I had the Erorr 5 when the file "ossec-agent.exe" has no permissions for "SYSTEM".

Unfortunately, when we change the IP in the UI, the file "ossec.conf" is re-created without SYSTEM permissions, so the service starts and exits suddenly, but it prints the access error in the "ossec.log".

So, make sure that SYSTEM has permissions for executable files inside directory "ossec-agent" and "ossec.conf".

Kind regards.

[Diego Arranz]

Ok, I review all permission inside folder for system account and now all run ok.

Thanks so much for the help