Help needed with agent.conf
44 views
Skip to first unread message
brighamr
Jul 11, 2011, 11:18:02 AM7/11/11
to ossec-list
I got the agents working on my win2008r2 servers using a very basic
agent.conf. After that worked I created a much more specific
agent.conf and am getting an error from verify-agent-conf which states
"XML error, element not closed directories line 284". I have passed my
file by several engineers and none of us can find any element which is
not closed. Can you see any problems with this agent.conf which would
cause this error?
<agent_config name="agent1|agent2">
<syscheck>
<frequency>3600</frequency>
<disabled>no</disabled>
<directories check_all="yes">D:\examplecustomdir</directories>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
<directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<alert_new_files>yes</alert_new_files>
</syscheck>
</agent_config>
<agent_config name="agent3|agent4">
<syscheck>
<frequency>3600</frequency>
<disabled>no</disabled>
<directories check_all="yes">D:\customexampledir</directories>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
<directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<alert_new_files>yes</alert_new_files>
</syscheck>
</agent_config>
<agent_config name="agent5|agent6|agent7">
<syscheck>
<frequency>3600</frequency>
<disabled>no</disabled>
<directories check_all="yes">D:\customexampledir</directories>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
<directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<alert_new_files>yes</alert_new_files>
</syscheck>
</agent_config>
agent.conf. After that worked I created a much more specific
agent.conf and am getting an error from verify-agent-conf which states
"XML error, element not closed directories line 284". I have passed my
file by several engineers and none of us can find any element which is
not closed. Can you see any problems with this agent.conf which would
cause this error?
<agent_config name="agent1|agent2">
<syscheck>
<frequency>3600</frequency>
<disabled>no</disabled>
<directories check_all="yes">D:\examplecustomdir</directories>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
<directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<alert_new_files>yes</alert_new_files>
</syscheck>
</agent_config>
<agent_config name="agent3|agent4">
<syscheck>
<frequency>3600</frequency>
<disabled>no</disabled>
<directories check_all="yes">D:\customexampledir</directories>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
<directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<alert_new_files>yes</alert_new_files>
</syscheck>
</agent_config>
<agent_config name="agent5|agent6|agent7">
<syscheck>
<frequency>3600</frequency>
<disabled>no</disabled>
<directories check_all="yes">D:\customexampledir</directories>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
<directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Lsa\crashonauditfail*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Terminal Server\fDenyTSConnections*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\ConsentPromptBehaviorUser*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies\System\EnableUIADesktopToggle*</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\SOFTWARE*</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon\AutoAdminLogon*</windows_registry>
<alert_new_files>yes</alert_new_files>
</syscheck>
</agent_config>
Christopher Moraes
Jul 11, 2011, 12:08:55 PM7/11/11
to ossec...@googlegroups.com
If you can attach your conf as a text file, I can have a look at it. The one you pasted below, changed the line numbers, so I can't find anything around line 284.
Christopher Moraes
Jul 11, 2011, 12:13:44 PM7/11/11
to ossec...@googlegroups.com
I passed this through verify-agent-conf and got no errors. The only change I made was to remove new line chars, so that each XML element is on a single line.
On Mon, Jul 11, 2011 at 11:18 AM, brighamr <glennb...@gmail.com> wrote:
brighamr
Jul 11, 2011, 2:06:45 PM7/11/11
to ossec-list
Hi Chris,
I sent another message with the file attached, thank you for your
quick response. I double checked my file and there are no new line
chars, each element does have it's own line. Can you think of any
other reason why it still fails verify-agent-conf?
Please look at the attachment on the other e-mail if needed. Thanks!
Glenn
On Jul 11, 10:13 am, Christopher Moraes <cmoraes....@gmail.com> wrote:
> I passed this through verify-agent-conf and got no errors. The only change
> I made was to remove new line chars, so that each XML element is on a single
> line....
>
> read more »
> > <directories check_all="yes">%WINDIR%/System32/telnet.exe</- Hide quoted text -
>
> - Show quoted text -
I sent another message with the file attached, thank you for your
quick response. I double checked my file and there are no new line
chars, each element does have it's own line. Can you think of any
other reason why it still fails verify-agent-conf?
Please look at the attachment on the other e-mail if needed. Thanks!
Glenn
On Jul 11, 10:13 am, Christopher Moraes <cmoraes....@gmail.com> wrote:
> I passed this through verify-agent-conf and got no errors. The only change
> I made was to remove new line chars, so that each XML element is on a single
>
> read more »
>
> - Show quoted text -
Reply all
Reply to author
Forward
0 new messages