Hello all,
Currently I'm running 1.0 of the Windows Client and the server on Fedora 5. I can restart the agent and I get email when it connects. The issue I have is the client will only do a file/folder syscheck when I restart the agent. I'm getting registry notifications, but nothing about the file system. Is it possible that auto ignore is still on even though I've indicated to NOT turn it on? I also turned on "alert new files" and that's not alerting either My configs are below and I apologize for it's length. I'm thinking it may be a config error but I've tried everything.
Thanks,
Robert
----------------
ossec.log
2007/02/27 10:31:54 ossec-agent: Received exit signal.
2007/02/27 10:31:54 ossec-agent: Exiting...
2007/02/27 10:31:59 ossec-agent: Assigning counter for agent NTFWTRPWAPPD1: '0:3341'.
2007/02/27 10:31:59 ossec-agent: Assigning sender counter: 21:9512
2007/02/27 10:31:59 ossec-agent: Connecting to server (
10.16.4.55:1514).
2007/02/27 10:31:59 ossec-agent: Starting syscheckd thread.
2007/02/27 10:31:59 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'.
2007/02/27 10:31:59 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
2007/02/27 10:31:59 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.
2007/02/27 10:31:59 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
2007/02/27 10:31:59 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2007/02/27 10:31:59 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.
2007/02/27 10:31:59 ossec-agent: Monitoring directory: 'C:\WINDOWS'.
2007/02/27 10:31:59 ossec-agent: Monitoring directory: 'C:\ossectest'.
2007/02/27 10:32:00 ossec-agent(4102): Connected to the server.
2007/02/27 10:32:00 ossec-agent(1950): Analyzing file: 'C:\invalid.log'.
2007/02/27 10:32:00 ossec-agent: Started (pid: 4056).
2007/02/27 10:35:18 ossec-agent: Received exit signal.
2007/02/27 10:35:18 ossec-agent: Exiting...
2007/02/27 10:35:19 ossec-agent: DEBUG: Reading agent configuration.
2007/02/27 10:35:19 ossec-agent: DEBUG: Reading logcollector configuration.
2007/02/27 10:35:19 ossec-agent: DEBUG: Reading private keys.
2007/02/27 10:35:19 ossec-agent: Assigning counter for agent NTFWTRPWAPPD1: '0:3341'.
2007/02/27 10:35:19 ossec-agent: Assigning sender counter: 21:9515
2007/02/27 10:35:19 ossec-agent: Connecting to server (
10.16.4.55:1514).
2007/02/27 10:35:19 ossec-agent: DEBUG: Creating thread mutex.
2007/02/27 10:35:19 ossec-agent: Starting syscheckd thread.
2007/02/27 10:35:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'.
2007/02/27 10:35:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft'.
2007/02/27 10:35:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.
2007/02/27 10:35:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'.
2007/02/27 10:35:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.
2007/02/27 10:35:19 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.
2007/02/27 10:35:19 ossec-agent: Monitoring directory: 'C:\WINDOWS'.
2007/02/27 10:35:19 ossec-agent: Monitoring directory: 'C:\ossectest'.
2007/02/27 10:35:20 ossec-agent(4102): Connected to the server.
2007/02/27 10:35:20 ossec-agent: DEBUG: Sending keep alive message.
2007/02/27 10:35:20 ossec-agent: DEBUG: Sending keep alive: #!-Microsoft Windows Server 2003, Enterprise Edition Service Pack 1 (Build 3790)
d41d8cd98f00b204e9800998ecf8427e
ar.conf
13d11a604c19b68c7b801a81e8018206 rootkit_files.txt
ac7263dce787af3572ea7c4d6761629f rootkit_trojans.txt
2007/02/27 10:35:20 ossec-agent: DEBUG: Entering LogCollectorStart().
2007/02/27 10:35:20 ossec-agent(1950): Analyzing file: 'C:\invalid.log'.
2007/02/27 10:35:20 ossec-agent: Started (pid: 2452).
2007/02/27 10:41:50 ossec-agent: DEBUG: Attempting to send message to server.
2007/02/27 10:41:50 ossec-agent: DEBUG: Sending message to server: '--MARK--'
----------------------------------
Ossec Config
<ossec_config>
<client>
<!-- IP address of the Ossec HIDS server -->
<server-ip>
10.16.4.55</server-ip>
</client>
<localfile>
<location>C:\invalid.log</location>
<log_format>syslog</log_format>
</localfile>
</ossec_config>
<!-- syscheck config -->
<ossec_config>
<syscheck>
<frequency>7200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<directories check_all="yes">C:\WINDOWS</directories>
<directories check_all="yes">C:\ossectest</directories>
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\Program Files/ossec-agent</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/SchedLgU.Txt</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/MsDtc/Trace/dtctrace.log</ignore>
<ignore>C:\WINDOWS/pfirewall.log</ignore>
<ignore>C:\WINDOWS/wiaservc.log</ignore>
<ignore>C:\WINDOWS/setupapi.log</ignore>
<ignore>C:\WINDOWS/LastGood.Tmp</ignore>
<ignore>C:\WINDOWS/LastGood</ignore>
<ignore>C:\WINDOWS/Help</ignore>
<ignore>C:\WINDOWS/Fonts</ignore>
<ignore>C:\WINDOWS/PCHEALTH</ignore>
<ignore>C:\WINDOWS/wiadebug.log</ignore>
<ignore>C:\WINDOWS/system32/CCM</ignore>
<ignore>C:\WINDOWS/system32/VPCache</ignore>
<ignore>C:\WINDOWS/repair/Backup/ServiceState/EventLogs</ignore>
</syscheck>
</ossec_config>
<!-- Syscheck registry config -->
<ossec_config>
<syscheck>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
</syscheck>
</ossec_config>
<!-- Syscheck registry ignored entries (too big or change too often) -->
<ossec_config>
<syscheck>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\State</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\PchSvc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Dfrg</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\COM3</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Interface</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\TypeLib</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\MIME</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\Software</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Classes\CLSID</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Watchdog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MediaCategories</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\hivelist</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\SMS</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy</registry_ignore>
</syscheck>
</ossec_config>