Linux - Windows registry?

25 views
Skip to first unread message

Alan Sparks

unread,
Nov 4, 2009, 12:01:52 PM11/4/09
to ossec...@googlegroups.com
I have a problem where, after installing an OSSEC 2.2 instance on a
Linux box, the WUI now shows me an entry for "web1 Windows registry."
And, indeed, the queues/syscheck directory on the OSSEC server has an
entry: "(web1) 10.242.54.10->syscheck-registry".

But web1 is a RHEL 5.3 system.

Why would OSSEC have done this? What triggered it thinking there was
supposed to be a Windows registry there? Nothing in the config has
anything mentioning the registry. Is there some way to remove the
erroneous "syscheck->registry" entry and make sure OSSEC doesn't
recreate it?

-Alan

Daniel Cid

unread,
Nov 5, 2009, 10:58:54 AM11/5/09
to ossec...@googlegroups.com
Hi Alan,

That's strange... Maybe you had a Windows box with the same name/ip
before? If you
remove that file inside the queue it should not show up anymore.

Btw, can you see what is inside that file? If it has real registry
entries, than almost sure
you had a windows agent before with that name...


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

Alan Sparks

unread,
Nov 7, 2009, 1:19:01 AM11/7/09
to ossec...@googlegroups.com

Any ideas about this? Suddenly in my UI I have almost all my Linux
hosts showing with a "Windows registry" entry.
What part of the client or server makes the decision to create this, and
guess wrong?
-Alan

dan (ddp)

unread,
Nov 7, 2009, 10:21:31 AM11/7/09
to ossec...@googlegroups.com
I don't know why this happens, but what is in the registry log files?
Look in $ossec-home/queue/syscheck (I think) for a file ending in
->registry (again, I think, don't have access to check ATM).
dan

Alan Sparks

unread,
Nov 7, 2009, 6:09:49 PM11/7/09
to ossec...@googlegroups.com
They're all empty. But they exist.
-Alan

chataigne cat

unread,
Nov 23, 2015, 9:40:08 AM11/23/15
to ossec-list, asp...@doublesparks.net

Hello,
I encounter the same problem as you.
Creating an empty file 'hostname-> syscheck-registry' for linux agent.
Even if I delete after a syscheck_update he recreated.
did you find a solution?
Thanks

dan (ddp)

unread,
Nov 23, 2015, 9:41:28 AM11/23/15
to ossec...@googlegroups.com
On Mon, Nov 23, 2015 at 9:37 AM, chataigne cat <chatai...@gmail.com> wrote:
>
> Hello,
> I encounter the same problem as you.
> Creating an empty file 'hostname-> syscheck-registry' for linux agent.
> Even if I delete after a syscheck_update he recreated.
> did you find a solution?
> Thanks
>

What problem does this really cause? Please open an issue at
https://github.com/ossec/ossec-hids
It'll be easier to keep track of that way.

>
> Le mercredi 4 novembre 2009 18:01:52 UTC+1, Alan Sparks a écrit :
>>
>> I have a problem where, after installing an OSSEC 2.2 instance on a
>> Linux box, the WUI now shows me an entry for "web1 Windows registry."
>> And, indeed, the queues/syscheck directory on the OSSEC server has an
>> entry: "(web1) 10.242.54.10->syscheck-registry".
>>
>> But web1 is a RHEL 5.3 system.
>>
>> Why would OSSEC have done this? What triggered it thinking there was
>> supposed to be a Windows registry there? Nothing in the config has
>> anything mentioning the registry. Is there some way to remove the
>> erroneous "syscheck->registry" entry and make sure OSSEC doesn't
>> recreate it?
>>
>> -Alan
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages