Not able to push common agent.conf from OSSEC Server
342 views
Skip to first unread message
Anuj AJ
Mar 4, 2014, 7:06:30 PM3/4/14
to ossec...@googlegroups.com
Greetings everyone.
So as the subject says, i have not been able to push out configs from ossec server to the remote hosts.
I followed the things in the docs (ossec site) http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html
Here is my session
After making changes to /var/ossec/etc/shared/agent.conf
root@exec02:/var/ossec/bin# service ossec restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
Killing ossec-csyslogd ..
OSSEC HIDS v2.6 Stopped
Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)...
ossec-analysisd: Configuration error. Exiting.
Started ossec-csyslogd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin# md5sum /var/ossec/etc/shared/agent.conf
91441e8cc7d4074efe667ff87d8ca689 /var/ossec/etc/shared/agent.conf
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin# ./agent_control -i 37
OSSEC HIDS agent_control. Agent information:
Agent ID: 37
Agent Name: vault2.sf1.us.billfloat.com
IP address: 10.0.6.20
Status: Active
Operating system: Linux vault2 2.6.32-24-server #43-Ubuntu SMP Thu Sep..
Client version: OSSEC HIDS v2.7.1 / 5e9e0c5a4c519883434627cfdb8f059b
Last keep alive: Tue Mar 4 15:56:38 2014
Syscheck last started at: Tue Mar 4 15:57:43 2014
Rootcheck last started at: Tue Mar 4 13:55:32 2014
root@exec02:/var/ossec/bin# ./agent_control -R 37
OSSEC HIDS agent_control: Restarting agent: 37
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin#
root@exec02:/var/ossec/bin# ./agent_control -i 37
OSSEC HIDS agent_control. Agent information:
Agent ID: 37
Agent Name: vault2.sf1.us.billfloat.com
IP address: 10.0.6.20
Status: Active
Operating system: Linux vault2 2.6.32-24-server #43-Ubuntu SMP Thu Sep..
Client version: OSSEC HIDS v2.7.1 / 5e9e0c5a4c519883434627cfdb8f059b
Last keep alive: Tue Mar 4 15:58:27 2014
Syscheck last started at: Tue Mar 4 15:57:43 2014
Rootcheck last started at: Tue Mar 4 13:55:32 2014
root@exec02:/var/ossec/bin# ./agent_control -i 37
OSSEC HIDS agent_control. Agent information:
Agent ID: 37
Agent Name: vault2.sf1.us.billfloat.com
IP address: 10.0.6.20
Status: Active
Operating system: Linux vault2 2.6.32-24-server #43-Ubuntu SMP Thu Sep..
Client version: OSSEC HIDS v2.7.1 / 5e9e0c5a4c519883434627cfdb8f059b
Last keep alive: Tue Mar 4 15:58:27 2014
Syscheck last started at: Tue Mar 4 15:57:43 2014
Rootcheck last started at: Tue Mar 4 13:55:32 2014
As you can see, the agent client version doesnt really change.
Hoping to get some help.
Thanks
AJ
Michael Starks
Mar 4, 2014, 8:15:23 PM3/4/14
to ossec...@googlegroups.com
On 03/04/2014 06:06 PM, Anuj AJ wrote:
> Greetings everyone.
>
> So as the subject says, i have not been able to push out configs from
> ossec server to the remote hosts.
What happens when you run this: ./bin/verify-agent-conf
> Greetings everyone.
>
> So as the subject says, i have not been able to push out configs from
> ossec server to the remote hosts.
dan (ddp)
Mar 5, 2014, 8:09:49 AM3/5/14
to ossec...@googlegroups.com
Check the permissions of the files on the agent and the server.
Include the merged.mg file on both.
> Thanks
> AJ
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Anuj AJ
Mar 5, 2014, 1:53:01 PM3/5/14
to ossec...@googlegroups.com
Oh Damn .. it did take a while .. i pushed out the changes last evening, well this morning that i checked, the hash matches.
I did not realize it would take that long for it to propagate to remote hosts.
The other steps that were suggested here - checking permissions and merged.mg file .. as well as running verify-agent-config, are good things to know for troubleshooting.
Leaving these comments here, so they could be helpful for others (if they need help).
Thanks for this
AJ
Reply all
Reply to author
Forward
0 new messages