Recently I was adding the OSSEC agent to a windows 2008 r2 machine and ran into a issue where the the agent was failing to start saying [check config!]. Well I had never changed the config so there should not be anything wrong with it. After some searching I found a post suggesting to go to regedit and modify HKLM\system\currentcontrolset\services\OssecSrv ImagePath – c:\program files (x86)\ossec-agent\ossec-agent.exe. Add quotes around “c:\program files (x86)\ossec-agent\ossec-agent.exe” and restart. After restarting I still had no luck. Then it came to me.

I went into regedit again and realized before I got to the regedit screen, I was interupted by the User Acess Control prompting me to lower my settings, or to run regedit as an administrator. Well if the agent is attempting to start, but being interupted by UAC, then this would surely prevent it from reading the config correctly. so here is what I did.

Go to Start >> Run type msconfig into the text field. When the MSConfig utility shows up, click on the “Tools” tab. In the list you should see “Change UAC Setting”. Click on it and select the “Launch” button below. This will give you the UAC windows where you can lower the bar to never notify. After that is done, go ahead and restart. Once restarted, check your OSSEC agent and it should be running!.​

Advertisements