Re: [ossec-list] syscheck errors - Unable to create directory and Unable to rename file
1,486 views
Skip to first unread message
dan (ddp)
Dec 19, 2012, 10:22:00 AM12/19/12
to ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 9:53 AM, Lsilverman
<lsilv...@chargeanywhere.com> wrote:
> Let me start off with I love ossec, It's an amazing product if you take the
> time to learn it and tune it. My manager is a CentOS box and my agent in
> question is a Win 2003 R2 SP2 box.
>
> Syscheck seems to be very buggy, unless I am doing something wrong. There is
> a directory on my agent that should never ever change - c:\lou. There is a
> log dir within that dir which changes and should be ignored. I added this to
> that agents ossec config:
>
> <ossec_config>
> <syscheck>
> <alert_new_files>yes</alert_new_files>
> <directories realtime="yes" report_changes="yes"
> check_all="yes">C:\lou</directories>
> <ignore>C:\lou\logs</ignore>
> </syscheck>
> </ossec_config>
>
> I restarted ossec and I see the dir being monitored:
> 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: 'C:\lou'.
>
>
> I added a rule to my manager's local_rules.xml as a test to alert on new
> files:
>
> <group name="local,">
> <rule id="554" level="14" overwrite="yes">
> <if_group>syscheck</if_group>
> <decoded_as>syscheck_new_entry</decoded_as>
> <description>File added to an ossec monitored folder.</description>
> <group>syscheck,</group>
> </rule>
> </group>
>
> I added a few files to the folder and waited. I did not get any alerts but I
> did get this in my agents log:
>
> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create directory:
> '/var/ossec/queue/diff/local/:\lou'
> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file:
> 'C:\lou/delmetest.txt'.
> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create directory:
> '/var/ossec/queue/diff/local/:\lou'
> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file:
> 'C:\lou/delme2.txt'.
> 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan.
>
> Does anyone see an issue with my config? Ossec knows that those are new
> files, why do I not get an alert? Why is my windows ossec install looking
> for the /var dir? Any help is greatly appreciated.
Did you set alert_new_files on the server? It doesn't mean anything on
the agent.
I don't know if report_changes works on Windows. I didn't think so,
but I could be wrong.
<lsilv...@chargeanywhere.com> wrote:
> Let me start off with I love ossec, It's an amazing product if you take the
> time to learn it and tune it. My manager is a CentOS box and my agent in
> question is a Win 2003 R2 SP2 box.
>
> Syscheck seems to be very buggy, unless I am doing something wrong. There is
> a directory on my agent that should never ever change - c:\lou. There is a
> log dir within that dir which changes and should be ignored. I added this to
> that agents ossec config:
>
> <ossec_config>
> <syscheck>
> <alert_new_files>yes</alert_new_files>
> <directories realtime="yes" report_changes="yes"
> check_all="yes">C:\lou</directories>
> <ignore>C:\lou\logs</ignore>
> </syscheck>
> </ossec_config>
>
> I restarted ossec and I see the dir being monitored:
> 2012/12/18 17:06:26 ossec-agent: INFO: Monitoring directory: 'C:\lou'.
>
>
> I added a rule to my manager's local_rules.xml as a test to alert on new
> files:
>
> <group name="local,">
> <rule id="554" level="14" overwrite="yes">
> <if_group>syscheck</if_group>
> <decoded_as>syscheck_new_entry</decoded_as>
> <description>File added to an ossec monitored folder.</description>
> <group>syscheck,</group>
> </rule>
> </group>
>
> I added a few files to the folder and waited. I did not get any alerts but I
> did get this in my agents log:
>
> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create directory:
> '/var/ossec/queue/diff/local/:\lou'
> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file:
> 'C:\lou/delmetest.txt'.
> 2012/12/18 17:26:35 ossec-agent(1107): ERROR: Unable to create directory:
> '/var/ossec/queue/diff/local/:\lou'
> 2012/12/18 17:26:35 ossec-agent(1124): ERROR: Unable to rename file:
> 'C:\lou/delme2.txt'.
> 2012/12/18 17:26:55 ossec-agent: INFO: Ending syscheck scan.
>
> Does anyone see an issue with my config? Ossec knows that those are new
> files, why do I not get an alert? Why is my windows ossec install looking
> for the /var dir? Any help is greatly appreciated.
Did you set alert_new_files on the server? It doesn't mean anything on
the agent.
I don't know if report_changes works on Windows. I didn't think so,
but I could be wrong.
dan (ddp)
Dec 19, 2012, 10:26:10 AM12/19/12
to ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 10:24 AM, Lsilverman
<lsilv...@chargeanywhere.com> wrote:
> I did not set it on the server. Where/how would I do that?
>
> Thanks for your quick response!!!!
>
In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block.
http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html
From one of my ossec.confs:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
...
</syscheck>
<lsilv...@chargeanywhere.com> wrote:
> I did not set it on the server. Where/how would I do that?
>
> Thanks for your quick response!!!!
>
In the server's /var/ossec/etc/ossec.conf, in the <syscheck> block.
http://www.ossec.net/doc/syntax/head_ossec_config.syscheck.html
From one of my ossec.confs:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
...
</syscheck>
dan (ddp)
Dec 19, 2012, 10:46:41 AM12/19/12
to ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 10:45 AM, Lsilverman
<lsilv...@chargeanywhere.com> wrote:
> I am adding this now, I will test and let you know my results.
>
> I thought that the ossec.conf on the manager related to the agent running on
> the manager doing checks of itself? Similar to the ossec.conf file on any
> agent.
>
> Thanks
>
>
It does, but it also governs the alerts it sends out. Agents do not
create alerts, only the server.
<lsilv...@chargeanywhere.com> wrote:
> I am adding this now, I will test and let you know my results.
>
> I thought that the ossec.conf on the manager related to the agent running on
> the manager doing checks of itself? Similar to the ossec.conf file on any
> agent.
>
> Thanks
>
>
It does, but it also governs the alerts it sends out. Agents do not
create alerts, only the server.
Lou Silverman
Dec 19, 2012, 11:14:43 AM12/19/12
to ossec...@googlegroups.com, dan (ddp)
It appears you are correct, report_changes is not available on Windows
OS as I am no longer getting those errors.
I am now alerting on new files! Now to write the rules for modified
files :) If I change the syscheck frequency on my agent, do I have to
change it on the manger as well? What is the difference between changing
it on either?
You're the best Dan! Thank you for everything. You should have a donate
button ;)
OS as I am no longer getting those errors.
I am now alerting on new files! Now to write the rules for modified
files :) If I change the syscheck frequency on my agent, do I have to
change it on the manger as well? What is the difference between changing
it on either?
You're the best Dan! Thank you for everything. You should have a donate
button ;)
dan (ddp)
Dec 19, 2012, 11:19:12 AM12/19/12
to ossec...@googlegroups.com
---------- Forwarded message ----------
From: dan (ddp) <ddp...@gmail.com>
Date: Wed, Dec 19, 2012 at 11:17 AM
Subject: Re: [ossec-list] syscheck errors - Unable to create directory
and Unable to rename file
To: Lou Silverman <lsilv...@chargeanywhere.com>
On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman
<lsilv...@chargeanywhere.com> wrote:
> It appears you are correct, report_changes is not available on Windows OS as
> I am no longer getting those errors.
>
Thanks for the update, I'll update the docs.
> I am now alerting on new files! Now to write the rules for modified files :)
> If I change the syscheck frequency on my agent, do I have to change it on
> the manger as well? What is the difference between changing it on either?
>
No, that setting is local. If you change it on the server it will only
affect the server's instance of ossec-syscheckd.
From: dan (ddp) <ddp...@gmail.com>
Date: Wed, Dec 19, 2012 at 11:17 AM
Subject: Re: [ossec-list] syscheck errors - Unable to create directory
and Unable to rename file
To: Lou Silverman <lsilv...@chargeanywhere.com>
On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman
<lsilv...@chargeanywhere.com> wrote:
> It appears you are correct, report_changes is not available on Windows OS as
> I am no longer getting those errors.
>
> I am now alerting on new files! Now to write the rules for modified files :)
> If I change the syscheck frequency on my agent, do I have to change it on
> the manger as well? What is the difference between changing it on either?
>
affect the server's instance of ossec-syscheckd.
dan (ddp)
Dec 19, 2012, 11:26:14 AM12/19/12
to ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman
<lsilv...@chargeanywhere.com> wrote:
> Here is a funky error... I changed my syscheck frequency from 72000s to
> 7200s and I could not start my agent - I got an error to check my config.
> Changing it back to 72000 allowed me to start the agent. Any ideas?
>
> Thanks
>
> Lou
>
Nope. Can you provide the exact error?
>
>
> On 12/19/2012 11:17 AM, dan (ddp) wrote:
>>
>> On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman
>> <lsilv...@chargeanywhere.com> wrote:
>>>
<lsilv...@chargeanywhere.com> wrote:
> Here is a funky error... I changed my syscheck frequency from 72000s to
> 7200s and I could not start my agent - I got an error to check my config.
> Changing it back to 72000 allowed me to start the agent. Any ideas?
>
> Thanks
>
> Lou
>
Nope. Can you provide the exact error?
>
>
> On 12/19/2012 11:17 AM, dan (ddp) wrote:
>>
>> On Wed, Dec 19, 2012 at 11:14 AM, Lou Silverman
>> <lsilv...@chargeanywhere.com> wrote:
>>>
>>> It appears you are correct, report_changes is not available on Windows OS
>>> as
>>> I am no longer getting those errors.
>>>
>>> as
>>> I am no longer getting those errors.
>>>
>> Thanks for the update, I'll update the docs.
>>
>>
>>> I am now alerting on new files! Now to write the rules for modified files
>>> :)
>>> If I change the syscheck frequency on my agent, do I have to change it on
>>> the manger as well? What is the difference between changing it on either?
>>>
>>> :)
>>> If I change the syscheck frequency on my agent, do I have to change it on
>>> the manger as well? What is the difference between changing it on either?
>>>
>> No, that setting is local. If you change it on the server it will only
>> affect the server's instance of ossec-syscheckd.
>>
>> affect the server's instance of ossec-syscheckd.
>>
Lou Silverman
Dec 19, 2012, 11:27:11 AM12/19/12
to ossec...@googlegroups.com, dan (ddp)
Here is a funky error... I changed my syscheck frequency from 72000s to
7200s and I could not start my agent - I got an error to check my
config. Changing it back to 72000 allowed me to start the agent. Any ideas?
Thanks
7200s and I could not start my agent - I got an error to check my
config. Changing it back to 72000 allowed me to start the agent. Any ideas?
Thanks
dan (ddp)
Dec 19, 2012, 11:28:51 AM12/19/12
to ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 11:26 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman
> <lsilv...@chargeanywhere.com> wrote:
>> Here is a funky error... I changed my syscheck frequency from 72000s to
>> 7200s and I could not start my agent - I got an error to check my config.
>> Changing it back to 72000 allowed me to start the agent. Any ideas?
>>
>> Thanks
>>
>> Lou
>>
>
> Nope. Can you provide the exact error?
>
I just checked one of my agents and it's set to 7200:
> On Wed, Dec 19, 2012 at 11:19 AM, Lou Silverman
> <lsilv...@chargeanywhere.com> wrote:
>> Here is a funky error... I changed my syscheck frequency from 72000s to
>> 7200s and I could not start my agent - I got an error to check my config.
>> Changing it back to 72000 allowed me to start the agent. Any ideas?
>>
>> Thanks
>>
>> Lou
>>
>
> Nope. Can you provide the exact error?
>
<syscheck>
<frequency>7200</frequency>
...
</syscheck>
Lou Silverman
Dec 19, 2012, 11:32:49 AM12/19/12
to ossec...@googlegroups.com, dan (ddp)
Here is a snippet of my config:
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>7200</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
I restart the server and I get Error -- Unable to start OSSEC (check
config). If I change 7200 to 72000 it works. If I change 7200 to 07200
it also works! However, I am uneasy if it will actually check every
7200s or will that leading 0 cause problems? I am on windows agent 2.6,
are you on 2.6 or 2.7?
Thanks
Lou
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>7200</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
I restart the server and I get Error -- Unable to start OSSEC (check
config). If I change 7200 to 72000 it works. If I change 7200 to 07200
it also works! However, I am uneasy if it will actually check every
7200s or will that leading 0 cause problems? I am on windows agent 2.6,
are you on 2.6 or 2.7?
Thanks
Lou
dan (ddp)
Dec 19, 2012, 11:34:39 AM12/19/12
to Lou Silverman, ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 11:32 AM, Lou Silverman
<lsilv...@chargeanywhere.com> wrote:
> Here is a snippet of my config:
>
> <!-- Syscheck - Integrity Checking config. -->
> <syscheck>
>
> <!-- Default frequency, every 20 hours. It doesn't need to be higher
> - on most systems and one a day should be enough.
> -->
> <frequency>7200</frequency>
>
> <!-- By default it is disabled. In the Install you must choose
> - to enable it.
> -->
> <disabled>no</disabled>
>
> I restart the server and I get Error -- Unable to start OSSEC (check
> config). If I change 7200 to 72000 it works. If I change 7200 to 07200 it
> also works! However, I am uneasy if it will actually check every 7200s or
> will that leading 0 cause problems? I am on windows agent 2.6, are you on
> 2.6 or 2.7?
>
> Thanks
>
> Lou
>
I'm using 2.7. I haven't used 2.6 in ages. Did you get that error
<lsilv...@chargeanywhere.com> wrote:
> Here is a snippet of my config:
>
> <!-- Syscheck - Integrity Checking config. -->
> <syscheck>
>
> <!-- Default frequency, every 20 hours. It doesn't need to be higher
> - on most systems and one a day should be enough.
> -->
> <frequency>7200</frequency>
>
> <!-- By default it is disabled. In the Install you must choose
> - to enable it.
> -->
> <disabled>no</disabled>
>
> I restart the server and I get Error -- Unable to start OSSEC (check
> config). If I change 7200 to 72000 it works. If I change 7200 to 07200 it
> also works! However, I am uneasy if it will actually check every 7200s or
> will that leading 0 cause problems? I am on windows agent 2.6, are you on
> 2.6 or 2.7?
>
> Thanks
>
> Lou
>
message from the ossec.log?
Lou Silverman
Dec 19, 2012, 12:12:16 PM12/19/12
to dan (ddp), ossec...@googlegroups.com
I got the error when trying to start my agent. It popped up preventing
me from starting the server. When I installed 2.6, 2.7 was still a beta.
Can I use a version 2.7 agent with a 2.6 server?
Thanks
Lou
me from starting the server. When I installed 2.6, 2.7 was still a beta.
Can I use a version 2.7 agent with a 2.6 server?
Thanks
Lou
dan (ddp)
Dec 19, 2012, 12:22:32 PM12/19/12
to Lou Silverman, ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 12:12 PM, Lou Silverman
<lsilv...@chargeanywhere.com> wrote:
> I got the error when trying to start my agent. It popped up preventing me
> from starting the server. When I installed 2.6, 2.7 was still a beta. Can I
> use a version 2.7 agent with a 2.6 server?
>
> Thanks
>
> Lou
>
No, they should be kept in sync if possible, and the agent should
<lsilv...@chargeanywhere.com> wrote:
> I got the error when trying to start my agent. It popped up preventing me
> from starting the server. When I installed 2.6, 2.7 was still a beta. Can I
> use a version 2.7 agent with a 2.6 server?
>
> Thanks
>
> Lou
>
never be a higher version than the server.
Check the ossec.log to see if there is a more detailed error. Changing
the frequency shouldn't be an issue.
I remember there was a problem with the path to ossec-logtest in the
ossec-control script that caused an error like this. It didn't stop
anything from working, it was just annoying.
Lou Silverman
Dec 19, 2012, 12:35:29 PM12/19/12
to dan (ddp), ossec...@googlegroups.com
Correction to my previous post, it prevented me from starting the agent.
When I change 07200 to 7200, the server IP disappears from the box. when
I add it and hit SAVE, i get a popup with this error:
Unable to set OSSEC server IP Address. Internal error on the XML write.
There are no errors in ossec.log
Changing it back to 07200 allows me to save the server IP and start the
agent.
Thanks
When I change 07200 to 7200, the server IP disappears from the box. when
I add it and hit SAVE, i get a popup with this error:
Unable to set OSSEC server IP Address. Internal error on the XML write.
There are no errors in ossec.log
Changing it back to 07200 allows me to save the server IP and start the
agent.
Thanks
dan (ddp)
Dec 19, 2012, 12:41:31 PM12/19/12
to Lou Silverman, ossec...@googlegroups.com
On Wed, Dec 19, 2012 at 12:35 PM, Lou Silverman
<lsilv...@chargeanywhere.com> wrote:
> Correction to my previous post, it prevented me from starting the agent.
>
> When I change 07200 to 7200, the server IP disappears from the box. when I
> add it and hit SAVE, i get a popup with this error:
>
> Unable to set OSSEC server IP Address. Internal error on the XML write.
>
> There are no errors in ossec.log
>
> Changing it back to 07200 allows me to save the server IP and start the
> agent.
>
> Thanks
>
I have no clue. That's odd. notepad shouldn't be taking things out of
<lsilv...@chargeanywhere.com> wrote:
> Correction to my previous post, it prevented me from starting the agent.
>
> When I change 07200 to 7200, the server IP disappears from the box. when I
> add it and hit SAVE, i get a popup with this error:
>
> Unable to set OSSEC server IP Address. Internal error on the XML write.
>
> There are no errors in ossec.log
>
> Changing it back to 07200 allows me to save the server IP and start the
> agent.
>
> Thanks
>
the file that you aren't directly editing. Maybe someone else (with
more Windows experience) has seen this?
Lou Silverman
Dec 19, 2012, 1:25:23 PM12/19/12
to dan (ddp), ossec...@googlegroups.com
I will install 2.7 to see if that fixes the issue and will report back.
I will have to update my server so give me some time.
Another quick Q - I have added the real_time="yes" option to my agent
doing syscheck but it does not seem very "real time". It seems to run at
the same pace I set my frequency, regardless of the real_time option. Is
there a server setting I must enable for this?
Thanks
I will have to update my server so give me some time.
Another quick Q - I have added the real_time="yes" option to my agent
doing syscheck but it does not seem very "real time". It seems to run at
the same pace I set my frequency, regardless of the real_time option. Is
there a server setting I must enable for this?
Thanks
Reply all
Reply to author
Forward
0 new messages