Windows agent.conf not found & syncing issues

[Neeraj Shah]

Hello All,

Need some help. I am trying out ossec with Security Onion.  The ossec server comes preinstalled in Security Onion. I am now trying the agent piece. I installed the v2.9.2 latest version agent on one of my Windows client pc's, did the initial config and restarted the agent.  From the ossec server, the agent ID shows connected. So far so good.

I then created the "/var/ossec/etc/shared/agent.conf"  on the server, put in a stanza for "os=windows" , saved the file and restarted the ossec server. After waiting for a while, I checked the client PC & the agent.conf didn't get created / deployed to the client. Infact, the agent logs on client were showing this error message" XML Error /shared/agent.conf not found" 

So i then went ahead and created the agent.conf manually on my client and restarted the service again.  The above XML error didn't show up this time but even after waiting for 15 mins or so, the agent.conf is empty. It is not downloading / syncing the changes from the agent.conf that's on the ossec server.

what could the reason be ? Any help appreciated 

=================================================

Here is the result of md5check command: 

 sudo /var/ossec/bin/agent_control -i 001

OSSEC HIDS agent_control. Agent information:

   Agent ID:   001

   Agent Name: ENGG-WKS

   IP address: 172.16.3.10

   Status:     Active

   Operating system:    Microsoft Windows 7 Business Edition Professional Se..

   Client version:      OSSEC HIDS v2.9.2 / d41d8cd98f00b204e9800998ecf8427e

   Last keep alive:     Thu Mar 29 20:20:40 2018

root@securityonion:# md5sum /var/ossec/etc/shared/agent.conf

9e4fb5a9b0ea944c19cedab71e860b54  /var/ossec/etc/shared/agent.conf

Both checksums are different.

[dan (ddp)]

Check the permissions and ownership of the agent.conf on the agent. Check for the contents of agent.conf in the merged.mg on the agent. Try the 2.9.4 branch, I might have included a fix for this.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Neeraj Shah]

Hi Dan,

Thanks for the reply. On the OSSEC server, i see the below message in the log :

2018/03/29 20:55:10 ossec-remoted: DEBUG Sending file 'merged.mg' to agent. 

However the merged.mg didn't make it or get created on the client side at all. The OSSEC server that comes with Security Onion is on 2.8.x while my client agent is on v 2.9.2 . Can that be an issue ? 

Sorry for the duplicate threads regards this error. Please delete the other ones.  

[dan (ddp)]

On Thu, Mar 29, 2018, 5:08 PM Neeraj Shah <neeraj...@gmail.com> wrote:

Hi Dan,

Thanks for the reply. On the OSSEC server, i see the below message in the log :

2018/03/29 20:55:10 ossec-remoted: DEBUG Sending file 'merged.mg' to agent. 

However the merged.mg didn't make it or get created on the client side at all. The OSSEC server that comes with Security Onion is on 2.8.x while my client agent is on v 2.9.2 . Can that be an issue ? 

It's possible, I don't check backwards compatibility very much, or windows stuff really.

[Neeraj Shah]

Since the older versions are no longer available on Ossec website, would it be OK if we manually copy the agent.conf from the ossec-server to the client ? In theory, Will that work  ? 

[dan (ddp)]

On Thu, Mar 29, 2018, 5:15 PM Neeraj Shah <neeraj...@gmail.com> wrote:

Since the older versions are no longer available on Ossec website, would it be OK if we manually copy the agent.conf from the ossec-server to the client ? In theory, Will that work  ? 

It should