fix 'WARN: Syscheck disabled' when using Centralized Config agent.conf
1,094 views
Skip to first unread message
Michael Altfield
May 18, 2011, 10:04:54 AM5/18/11
to ossec-list
Hi list,
Has anyone gotten syscheck to work when using the Centralized
Configuration file for defining <syscheck />? No matter what I tried,
I keep getting
================================================================================
...
ossec-syscheckd(1702): INFO: No directory provided for syscheck to
monitor.
ossec-syscheckd: WARN: Syscheck disabled.
...
================================================================================
messages when I restart ossec.
Here's my agent's etc/ossec.conf:
================================================================================
<ossec_config>
<client>
<server-ip>10.0.0.1</server-ip>
</client>
</ossec_config>
================================================================================
Here's my etc/shared/agent.conf:
================================================================================
<agent_config>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22
hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">/datalex</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<agent_config>
================================================================================
TIA
-Michael
Has anyone gotten syscheck to work when using the Centralized
Configuration file for defining <syscheck />? No matter what I tried,
I keep getting
================================================================================
...
ossec-syscheckd(1702): INFO: No directory provided for syscheck to
monitor.
ossec-syscheckd: WARN: Syscheck disabled.
...
================================================================================
messages when I restart ossec.
Here's my agent's etc/ossec.conf:
================================================================================
<ossec_config>
<client>
<server-ip>10.0.0.1</server-ip>
</client>
</ossec_config>
================================================================================
Here's my etc/shared/agent.conf:
================================================================================
<agent_config>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22
hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<directories check_all="yes">/datalex</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<agent_config>
================================================================================
TIA
-Michael
dan (ddp)
May 18, 2011, 1:48:00 PM5/18/11
to ossec...@googlegroups.com
Using the agent.conf for syscheck works for me on the agents (it does
not work on the manager).
Make sure the agent.conf has been transferred to the agents.
Make sure the permissions make it readable by the agents.
Is the agent.conf below the entirety of your agent.conf? Did you
copy/paste it from an ossec.conf? Simple typos can cause havoc in the
agent.conf.
not work on the manager).
Make sure the agent.conf has been transferred to the agents.
Make sure the permissions make it readable by the agents.
Is the agent.conf below the entirety of your agent.conf? Did you
copy/paste it from an ossec.conf? Simple typos can cause havoc in the
agent.conf.
Michael Altfield
May 18, 2011, 2:43:09 PM5/18/11
to ossec-list
Hi Dan,
Thanks for the quick reply. Glad to hear someone else got this
working! Unfortunately, I still can't get syscheckd to recognize its
settings in agent.conf. Is your config much different from my own? Any
chance you can post yours so I can compare?
I've answered your questions below. Any other ideas?
-Michael
On May 18, 1:48 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> Using the agent.conf for syscheck works for me on the agents (it does
> not work on the manager).
> Make sure the agent.conf has been transferred to the agents.
agent.conf has been transferred to the agents (verified through the
hash from bin/manage_agents and by checking the Agent's etc/shared/
agent.conf file contents) and I restarted the ossec agent's process
after checking this.
> Make sure the permissions make it readable by the agents.
[root@ossec-agent4 ossec]# ls -lah /var/ossec/etc/shared/agent.conf
-rw-r--r-- 1 ossec ossec 2.5K May 18 12:05 /var/ossec/etc/shared/
agent.conf
> Is the agent.conf below the entirety of your agent.conf? Did you
> copy/paste it from an ossec.conf? Simple typos can cause havoc in the
> agent.conf.
What I pasted is the entire contents, yes. I created it by copy
+pasting from ossec.conf to eliminate fat-fingered mistakes.
Thanks for the quick reply. Glad to hear someone else got this
working! Unfortunately, I still can't get syscheckd to recognize its
settings in agent.conf. Is your config much different from my own? Any
chance you can post yours so I can compare?
I've answered your questions below. Any other ideas?
-Michael
On May 18, 1:48 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> Using the agent.conf for syscheck works for me on the agents (it does
> not work on the manager).
> Make sure the agent.conf has been transferred to the agents.
hash from bin/manage_agents and by checking the Agent's etc/shared/
agent.conf file contents) and I restarted the ossec agent's process
after checking this.
> Make sure the permissions make it readable by the agents.
-rw-r--r-- 1 ossec ossec 2.5K May 18 12:05 /var/ossec/etc/shared/
agent.conf
> Is the agent.conf below the entirety of your agent.conf? Did you
> copy/paste it from an ossec.conf? Simple typos can cause havoc in the
> agent.conf.
+pasting from ossec.conf to eliminate fat-fingered mistakes.
Jeremy Lee
May 18, 2011, 3:04:36 PM5/18/11
to ossec...@googlegroups.com
Ditto Dan's comment on typos. I screwed up my conf in forgetting to put a close bracket on a directive and couldn't figure out what was wrong for the life of me. Fortunately, it was the very last line I added to agent.conf. After fixing it everything worked perfectly. So make sure all your directives are valid (and using valid input) and make sure there are no syntax errors. Double-check and the best way, really, is just to start off small.
In fact, I just reviewed your agent.conf that you listed and found something below (in red):That should be </agent_config> I believe :)
Unless you inadvertently pasted that into your initial thread by accident and really do have the slash there in the conf. But let us know!
--Jeremy
In fact, I just reviewed your agent.conf that you listed and found something below (in red):
Unless you inadvertently pasted that into your initial thread by accident and really do have the slash there in the conf. But let us know!
--Jeremy
Michael Altfield
May 18, 2011, 3:57:32 PM5/18/11
to ossec-list
Eh, nevermind. The issue is in the XML I posted for my etc/shared/
agent.conf. My final close tag was "<agent_config>" instead of "</
agent_config>". Thanks to Michael Starks for suggesting I run bin/
verify-agent-conf.
Though the documentation on this binary is empty (http://www.ossec.net/
doc/programs/verify-agent-conf.html), it looks like this binary checks
the syntax of your configuration file. It must be run from the OSSEC
Manager.
[root@ossec-manager ~]# cd /var/ossec
[root@ossec-manager ossec]# bin/verify-agent-conf
2011/05/18 15:55:13 ossec-config(1226): ERROR: Error reading XML file
'/var/ossec/etc/shared/agent.conf': XML ERR: End of file and some
elements were not closed (line 73).
Thanks for your input!
agent.conf. My final close tag was "<agent_config>" instead of "</
agent_config>". Thanks to Michael Starks for suggesting I run bin/
verify-agent-conf.
Though the documentation on this binary is empty (http://www.ossec.net/
doc/programs/verify-agent-conf.html), it looks like this binary checks
the syntax of your configuration file. It must be run from the OSSEC
Manager.
[root@ossec-manager ~]# cd /var/ossec
[root@ossec-manager ossec]# bin/verify-agent-conf
2011/05/18 15:55:13 ossec-config(1226): ERROR: Error reading XML file
'/var/ossec/etc/shared/agent.conf': XML ERR: End of file and some
elements were not closed (line 73).
Thanks for your input!
On May 18, 1:48 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages