ossec
OSSEC Win Agent Service start issue.
Hello,
I am using Ansible for installation of OSSEC HIDS for mine windows machine. i am getting error during start time of ossec hids service "some other services is using.."
Here my ansible code:
-
name: install OSSEC exe raw: "CMD /C {{ installer }} /S" #raw: "CMD /C {{ ossec_exe_installer }} /S"
-
name: unzip downloaded file vars: local_zip_file: "{{ temp_dir }}\{{ ossec_auto }}" win_unzip: src: "{{ local_zip_file }}" dest: "{{ admin_dir }}"
-
name: install Auto-OSSEC exe raw: "CMD /C '{{ ossec_plugins }}' {{ os_dns }} /S"
-
name: start ossec agent win_service: name: OssecSvc start_mode: auto state: started
Ansible Error fatal: [x.x.x.x]: FAILED! => { "changed": true, "depended_by": [], "dependencies": [], "description": "OSSEC HIDS Windows Agent", "desktop_interact": false, "display_name": "OSSEC HIDS", "exists": true, "failed": true, "msg": "Failed to start service 'OSSEC HIDS (OssecSvc)'.", "name": "OssecSvc", "path": ""C:\Program Files (x86)\ossec-agent\ossec-agent.exe"", "start_mode": "auto", "state": "stopped", "username": "LocalSystem" }
Win Error Attatched:
Please review or provide your ossec.log file from C:\Program Files (x86)\ossec-agent. It should indicate why ossec-agent.exe is immediately exiting.
Goodmorning, I have the same problem. What can I do?
As above please open the Agent manager on the Windows installation and check the previous log messages or follow the path defined above C:\Program Files (x86)\ossec-agent and paste it here. Which Windows version are you using if I might ask?
WIN10 64bit, Admin privigeges, My ossec.log: (IP server 192.168.10.48; IP agent 192.168.10.33) 2020/10/08 15:20:11 ossec-agent: INFO: Service does not exist (OssecSvc) nothing to remove. 2020/10/08 15:20:11 ossec-agent: INFO: Successfully added to the service database. 2020/10/08 15:20:12 ossec-agent: INFO: System is Vista or newer (Microsoft Windows 8 Business Edition Professional (Build 9200) - OSSEC HIDS v3.6.0). 2020/10/08 15:20:51 ossec-agent: Using notify time: 600 and max time to reconnect: 1800 2020/10/08 15:20:51 ossec-agent(1907): INFO: Non-standard event log set: 'Windows PowerShell'. 2020/10/08 15:20:51 ossec-execd(1350): INFO: Active response disabled. Exiting. 2020/10/08 15:20:51 ossec-agent(1410): INFO: Reading authentication keys file. 2020/10/08 15:20:51 ossec-agent: INFO: Received exit signal. 2020/10/08 15:22:56 ossec-agent: Using notify time: 600 and max time to reconnect: 1800 2020/10/08 15:22:56 ossec-agent(1907): INFO: Non-standard event log set: 'Windows PowerShell'. 2020/10/08 15:22:56 ossec-execd(1350): INFO: Active response disabled. Exiting. 2020/10/08 15:22:56 ossec-agent(1410): INFO: Reading authentication keys file. 2020/10/08 15:22:56 ossec-agent: INFO: Received exit signal. 2020/10/08 15:23:19 ossec-agent: Using notify time: 600 and max time to reconnect: 1800 2020/10/08 15:23:19 ossec-agent(1907): INFO: Non-standard event log set: 'Windows PowerShell'. 2020/10/08 15:23:19 ossec-execd(1350): INFO: Active response disabled. Exiting. 2020/10/08 15:23:19 ossec-agent(1410): INFO: Reading authentication keys file. 2020/10/08 15:23:19 ossec-agent: INFO: Received exit signal.
Status: stopped net start "osset hids" command (as admin) do not effect.
My ossec.conf:
<ossec_config>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
<directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
<directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>
<directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</ossec_config>
<ossec_config>
@MaxDF23 I will set up a virtual machine with win10 and run through the setup. I get back to you, but reading from the log my first impression would be that the authentication key you added to the agent manager is incorrect. Check for whitespace or w/e but I will get back to you once I've tested it myself.
@MaxDF23 I tried to reproduce but I cannot. Environment Windows 10 Pro:
This is my own guide and all the exact steps i followed here make sure that you did open port 1514 and 514 on your server for the agent IP.
Also you're mssing the <client></client> and the <server-ip></server-ip> tags in the end around the server IP section.
2020/10/08 12:24:36 ossec-agentd(4102): INFO: Connected to server 192.168.88.68, port 1514. 2020/10/08 12:24:36 Cannot unlink /var/ossec.wait: No such file or directory 2020/10/08 12:24:36 ossec-agent: INFO: System is Vista or newer (Microsoft Windows 8 Business Edition Professional (Build 9200) - OSSEC HIDS v3.6.0). 2020/10/08 12:24:36 ossec-logcollector(1951): INFO: Analyzing event log: 'Application'. 2020/10/08 12:24:36 ossec-logcollector(1951): INFO: Analyzing event log: 'Security'. 2020/10/08 12:24:36 ossec-logcollector(1951): INFO: Analyzing event log: 'System'. 2020/10/08 12:24:36 ossec-logcollector(1951): INFO: Analyzing event log: 'Windows PowerShell'. 2020/10/08 12:24:36 ossec-logcollector: INFO: Started (pid: 3752).
Config:
<!-- OSSEC-HIDS Win32 Agent Configuration.
- This file is composed of 3 main sections:
- - Client config - Settings to connect to the OSSEC server
- - Localfile - Files/Event logs to monitor
- - syscheck - System file/Registry entries to monitor
-->
<!-- READ ME FIRST. If you are configuring OSSEC-HIDS for the first time,
- try to use the "Manage_Agent" tool. Go to Control Panel->OSSEC Agent
- to execute it.
-
- First, add a server-ip entry with the real IP of your server.
- Second, and optionally, change the settings of the files you want
- to monitor. Look at our Manual and FAQ for more information.
- Third, start the Agent and enjoy.
-
- Example of server-ip:
- <client> <server-ip>1.2.3.4</server-ip> </client>
-->
<ossec_config>
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Windows PowerShell</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
<directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
<directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>
<directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
<active-response>
<disabled>yes</disabled>
</active-response>
</ossec_config>
<!-- END of Default Configuration. -->
<ossec_config>
<client>
<server-ip>192.168.88.68</server-ip>
</client>
</ossec_config>