Clarification on Windows ossec.conf vs shared/agent.conf
1,800 views
Skip to first unread message
tao_zhyn
Jan 16, 2012, 4:09:03 PM1/16/12
to ossec-list
I am testing out Centralized agent configuration to a Windows machine.
Setup
=====
Manger:
* CentOS 5
* OSSEC v2.6
* Created and modified /var/ossec/etc/shared/agent.conf
* For testing purposed I copied everything from the windows ossec.conf
"Default Configuration" to the agent.conf.
* Modified permission as followed: -rw-r--r-- 1 root ossec 902 Jan
16 09:59 agent.conf
Agent:
* Windows 2003
* Windows agent version 2.6
* Installed as running as expected
From the Documentation, http://www.ossec.net/doc/manual/agent/agent-configuration.html
it is not entirely clear how this works.
At first I was waiting for C:\Program Files\ossec-agent\ossec.conf to
be modified after trying to push out the configuration from the
manager (restarted the manager and forced a integrity/rootkit check on
the client). I thought it would replace the content in C:\Program
Files\ossec-agent\ossec.conf with the configuration applicable
configuration settings in /var/ossec/etc/shared/agent.conf.
I finally realized that it copies /var/ossec/etc/shared/agent.conf to
C:\Program Files\ossec-agent\shared\agent.conf. So it looks like it
is working.
This would explain why I see the following error message: 2012/01/16
08:55:54 ossec-agent(1756): ERROR: Duplicated directory given: 'C:
\WINDOWS/win.ini'.
Does this mean the windows agent loads both ossec.conf and shared/
agent.conf?
If so, which one has precedence? For examples if I have
"<frequency>72000</frequency>" in ossec.conf and "<frequency>43200</
frequency>" in shared/agent.conf, which setting gets applied?
Bonus Question
I also have the following WARNings in my log (on the windows machine):
2012/01/16 13:48:24 ossec-agent: INFO: Ending rootcheck scan.
2012/01/16 13:48:24 ossec-agent: INFO: Starting syscheck scan.
2012/01/16 13:55:03 ossec-agent: WARN: Unknown message received. No
action defined.
....<repeated several time>
2012/01/16 13:55:05 ossec-agent: WARN: Unknown message received. No
action defined.
2012/01/16 13:59:03 ossec-agent: INFO: Event count after '20000':
8179674->5417984 (66%)
2012/01/16 14:00:59 ossec-agent: INFO: Ending syscheck scan.
2012/01/16 14:01:45 ossec-agent: WARN: Unknown message received. No
action defined.
...<repeated several time>
This only started showing up after I started testing centralized agent
configuration. If it helps I can post my agent.conf.
Setup
=====
Manger:
* CentOS 5
* OSSEC v2.6
* Created and modified /var/ossec/etc/shared/agent.conf
* For testing purposed I copied everything from the windows ossec.conf
"Default Configuration" to the agent.conf.
* Modified permission as followed: -rw-r--r-- 1 root ossec 902 Jan
16 09:59 agent.conf
Agent:
* Windows 2003
* Windows agent version 2.6
* Installed as running as expected
From the Documentation, http://www.ossec.net/doc/manual/agent/agent-configuration.html
it is not entirely clear how this works.
At first I was waiting for C:\Program Files\ossec-agent\ossec.conf to
be modified after trying to push out the configuration from the
manager (restarted the manager and forced a integrity/rootkit check on
the client). I thought it would replace the content in C:\Program
Files\ossec-agent\ossec.conf with the configuration applicable
configuration settings in /var/ossec/etc/shared/agent.conf.
I finally realized that it copies /var/ossec/etc/shared/agent.conf to
C:\Program Files\ossec-agent\shared\agent.conf. So it looks like it
is working.
This would explain why I see the following error message: 2012/01/16
08:55:54 ossec-agent(1756): ERROR: Duplicated directory given: 'C:
\WINDOWS/win.ini'.
Does this mean the windows agent loads both ossec.conf and shared/
agent.conf?
If so, which one has precedence? For examples if I have
"<frequency>72000</frequency>" in ossec.conf and "<frequency>43200</
frequency>" in shared/agent.conf, which setting gets applied?
Bonus Question
I also have the following WARNings in my log (on the windows machine):
2012/01/16 13:48:24 ossec-agent: INFO: Ending rootcheck scan.
2012/01/16 13:48:24 ossec-agent: INFO: Starting syscheck scan.
2012/01/16 13:55:03 ossec-agent: WARN: Unknown message received. No
action defined.
....<repeated several time>
2012/01/16 13:55:05 ossec-agent: WARN: Unknown message received. No
action defined.
2012/01/16 13:59:03 ossec-agent: INFO: Event count after '20000':
8179674->5417984 (66%)
2012/01/16 14:00:59 ossec-agent: INFO: Ending syscheck scan.
2012/01/16 14:01:45 ossec-agent: WARN: Unknown message received. No
action defined.
...<repeated several time>
This only started showing up after I started testing centralized agent
configuration. If it helps I can post my agent.conf.
dan (ddp)
Jan 16, 2012, 7:13:44 PM1/16/12
to ossec...@googlegroups.com
On Mon, Jan 16, 2012 at 4:09 PM, tao_zhyn <tao...@gmail.com> wrote:
> I am testing out Centralized agent configuration to a Windows machine.
>
> Setup
> =====
> Manger:
> * CentOS 5
> * OSSEC v2.6
> * Created and modified /var/ossec/etc/shared/agent.conf
> * For testing purposed I copied everything from the windows ossec.conf
> "Default Configuration" to the agent.conf.
> * Modified permission as followed: -rw-r--r-- 1 root ossec 902 Jan
> 16 09:59 agent.conf
>
> Agent:
> * Windows 2003
> * Windows agent version 2.6
> * Installed as running as expected
>
>
> From the Documentation, http://www.ossec.net/doc/manual/agent/agent-configuration.html
> it is not entirely clear how this works.
>
> At first I was waiting for C:\Program Files\ossec-agent\ossec.conf to
> be modified after trying to push out the configuration from the
> manager (restarted the manager and forced a integrity/rootkit check on
> the client). I thought it would replace the content in C:\Program
> Files\ossec-agent\ossec.conf with the configuration applicable
> configuration settings in /var/ossec/etc/shared/agent.conf.
>
> I am testing out Centralized agent configuration to a Windows machine.
>
> Setup
> =====
> Manger:
> * CentOS 5
> * OSSEC v2.6
> * Created and modified /var/ossec/etc/shared/agent.conf
> * For testing purposed I copied everything from the windows ossec.conf
> "Default Configuration" to the agent.conf.
> * Modified permission as followed: -rw-r--r-- 1 root ossec 902 Jan
> 16 09:59 agent.conf
>
> Agent:
> * Windows 2003
> * Windows agent version 2.6
> * Installed as running as expected
>
>
> From the Documentation, http://www.ossec.net/doc/manual/agent/agent-configuration.html
> it is not entirely clear how this works.
>
> At first I was waiting for C:\Program Files\ossec-agent\ossec.conf to
> be modified after trying to push out the configuration from the
> manager (restarted the manager and forced a integrity/rootkit check on
> the client). I thought it would replace the content in C:\Program
> Files\ossec-agent\ossec.conf with the configuration applicable
> configuration settings in /var/ossec/etc/shared/agent.conf.
>
At no point did I see anything in the documentation that suggested
ossec.conf would be modified. Which part of the doc gave you this
impression? I can try to work on making it better.
> I finally realized that it copies /var/ossec/etc/shared/agent.conf to
> C:\Program Files\ossec-agent\shared\agent.conf. So it looks like it
> is working.
> This would explain why I see the following error message: 2012/01/16
> 08:55:54 ossec-agent(1756): ERROR: Duplicated directory given: 'C:
> \WINDOWS/win.ini'.
>
> Does this mean the windows agent loads both ossec.conf and shared/
> agent.conf?
> If so, which one has precedence? For examples if I have
> "<frequency>72000</frequency>" in ossec.conf and "<frequency>43200</
> frequency>" in shared/agent.conf, which setting gets applied?
>
I believe the ossec.conf version. I generally keep the ossec.conf on
agents as simple as possible, usually containing only the IP of the
manager.
>
> Bonus Question
> I also have the following WARNings in my log (on the windows machine):
>
> 2012/01/16 13:48:24 ossec-agent: INFO: Ending rootcheck scan.
> 2012/01/16 13:48:24 ossec-agent: INFO: Starting syscheck scan.
> 2012/01/16 13:55:03 ossec-agent: WARN: Unknown message received. No
> action defined.
> ....<repeated several time>
> 2012/01/16 13:55:05 ossec-agent: WARN: Unknown message received. No
> action defined.
> 2012/01/16 13:59:03 ossec-agent: INFO: Event count after '20000':
> 8179674->5417984 (66%)
> 2012/01/16 14:00:59 ossec-agent: INFO: Ending syscheck scan.
> 2012/01/16 14:01:45 ossec-agent: WARN: Unknown message received. No
> action defined.
> ...<repeated several time>
>
> This only started showing up after I started testing centralized agent
> configuration. If it helps I can post my agent.conf.
>
>
Other than these messages, is the agent working? Please post the
agent.conf, I've never seen these messages.
tao_zhyn
Jan 17, 2012, 6:37:23 PM1/17/12
to ossec-list
On Jan 16, 5:13 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
any about what happens on the client side. It was an initial
assumption that I made.
I think it would be good to mention what files are affected on the
client (both windows and linux) when a configuration is pushed from
the manager.
For instance does everything in shared sync between agent and manager?
Or is it only agent.conf.
>
> > I finally realized that it copies /var/ossec/etc/shared/agent.conf to
> > C:\Program Files\ossec-agent\shared\agent.conf. So it looks like it
> > is working.
> > This would explain why I see the following error message: 2012/01/16
> > 08:55:54 ossec-agent(1756): ERROR: Duplicated directory given: 'C:
> > \WINDOWS/win.ini'.
>
> > Does this mean the windows agent loads both ossec.conf and shared/
> > agent.conf?
> > If so, which one has precedence? For examples if I have
> > "<frequency>72000</frequency>" in ossec.conf and "<frequency>43200</
> > frequency>" in shared/agent.conf, which setting gets applied?
>
> I believe the ossec.conf version. I generally keep the ossec.conf on
> agents as simple as possible, usually containing only the IP of the
> manager.
>
>
client loads ossec.conf when it starts. Then it loads agent.conf when
it loads each system, log collector, system check and rootkit check.
>
>
>
>
>
>
>
>
>
> > Bonus Question
> > I also have the following WARNings in my log (on the windows machine):
>
> > 2012/01/16 13:48:24 ossec-agent: INFO: Ending rootcheck scan.
> > 2012/01/16 13:48:24 ossec-agent: INFO: Starting syscheck scan.
> > 2012/01/16 13:55:03 ossec-agent: WARN: Unknown message received. No
> > action defined.
> > ....<repeated several time>
> > 2012/01/16 13:55:05 ossec-agent: WARN: Unknown message received. No
> > action defined.
> > 2012/01/16 13:59:03 ossec-agent: INFO: Event count after '20000':
> > 8179674->5417984 (66%)
> > 2012/01/16 14:00:59 ossec-agent: INFO: Ending syscheck scan.
> > 2012/01/16 14:01:45 ossec-agent: WARN: Unknown message received. No
> > action defined.
> > ...<repeated several time>
>
> > This only started showing up after I started testing centralized agent
> > configuration. If it helps I can post my agent.conf.
>
> Other than these messages, is the agent working? Please post the
> agent.conf, I've never seen these messages.
in ossec.conf between <ossec_config> tags (as shown below).
<!-- Windows Agents Config -->
<agent_config os="Windows">
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be
higher
- on most systems and one a day should be enough.
-->
<frequency>43200</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</
directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</
directories>
<directories check_all="yes">C:\Documents and Settings/All Users/
Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes
\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</
registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account
\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</agent_config>
<!-- Linux Agents Config -->
<agent_config os="Linux">
</agent_config>
My new agent.conf:
<!-- Windows Agents Config -->
<agent_config os="Windows">
<!-- Every 12 hours (43200) -->
<syscheck>
<frequency>43200</frequency>
<disabled>no</disabled>
</syscheck>
</agent_config>
<!-- Linux Agents Config -->
<agent_config os="Linux">
</agent_config>
With this new agent.conf I am not seeing the Error messages. It looks
like it didn't like several of the lines in my old agent.conf.
It would be handing if the generic Error message included a line
number or the message it failed on.
Reply all
Reply to author
Forward
0 new messages