Ossec agent ossec.conf issue

[Daniel Jochims]

I'm trying to set up ossec agents on windows server 03/08/12. Would anybody have an example custom ossec.conf agent file they could share? I know that newer windows servers do not have all the files that are originally listed in the default ossec.conf , so i was wondering what others have started to monitor in place of them.

 

 

Checking my agent log, this is what I'm getting with the default agent ossec.conf :

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\boot.ini': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/CONFIG.NT': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/debug.exe': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwatson.exe': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwtsn32.exe': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/edlin.exe': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/eventtriggers.exe': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rcp.exe': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rexec.exe': No such file or directory

2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rsh.exe': No such file or directory

2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/telnet.exe': No such file or directory

2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tftp.exe': No such file or directory

2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tlntsvr.exe': No such file or directory

2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows\System32\bcdedit.exe': No such file or directory

2013/07/03 13:01:25 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed).

 

 

An example of what I'm trying to do would be :

 

<directories check_all="yes">C:\Windows\System32\bcdedit.exe</directories>

 

boot.ini was replaced in windows vista+ with BCD so this would be something I'd like to check on. I tried to implement this into the conf file but I'm getting no luck getting it to work.

 

Any suggestions are gladly taken.

[David Blanton]

If you've removed those paths/directories to being monitored, try restarting OSSEC and the agent as well.

/var/ossec/bin/agent_control -R ###

[Daniel Jochims]

I know that they are not there, but I keep them in the config for older servers that will still have those files/paths. The errors are not my problem, I'm just looking for what other peoples ossec.conf on their agent look like. I'm trying to get a perspective on other files that they may be monitoring on that I currently am not. An example is how I'm trying to monitor bcdedit.exe. That file was the replacement for boot.ini in newer windows operating systems. I'm just not getting it implemented correctly, which is why im looking for a more experienced persons agents ossec.conf file to base rules off of.

[David Blanton]

Oh I see. I don't currently have any Windows agents, so I cannot help you there. All my work machines are Linux RHEL5 or SunOS.

Could go on the agent-side machine and open up the /etc/ossec.log folder and paste the errors from there? There should be more information.

Also when you try to restart, does the agent start up correctly?

[Evros Nireas]

Hello All,

I have also same problem bur do not know how to resolve.I want to add my second disk on server to check but i have this log

"2014/10/31 13:21:42 ossec-agent: WARN: Error opening directory: 'realtime="yes">E:\.': No such file or directory"

Any suggestion?

Best Regards,