Server and agent at the same time on the same host
carlopmart
Somebody know if it is possible to do two different installations on the same
host, one as an agent and another as a server??
I need to install OSSEC server as a service under three hosts with RedHat Cluster
Suite to provide High Availability. At the same time I need to monitor with OSSEC
these three hosts.
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
d.as...@cgi.com
Hi
Have done exacltely that on 3 Solaris servers one is server and agent
-----Message d'origine-----
De : ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] De la part de carlopmart
Envoyé : 15 déc. 2010 12:38
À : ossec...@googlegroups.com
Objet : [ossec-list] Server and agent at the same time on the same host
Hi all,
Avis de confidentialité : Ce courriel et les pièces qui y sont jointes contiennent de l'information confidentielle et peuvent être protégés par le secret professionnel ou constituer de l’information privilégiée. Ils sont destinés à l'usage exclusif de la (des) personne(s) à qui ils sont adressés. Si vous n'êtes pas le destinataire visé ou la personne chargée de transmettre ce document à son destinataire, vous êtes avisé par la présente que toute divulgation, reproduction, copie, distribution ou autre utilisation de cette information est strictement interdite. Si vous avez reçu ce courriel par erreur, veuillez en aviser immédiatement l’expéditeur par téléphone ainsi que détruire et effacer l'information que vous avez reçue de tout disque dur ou autre média sur lequel elle peut être enregistrée et ne pas en conserver de copie. Merci de votre collaboration.
Notice of Confidentiality: This electronic mail message, including any attachments, is confidential and may be privileged and protected by professional secrecy. They are intended for the exclusive use of the addressee. If you are not the intended addressee or the person responsible for delivering this document to the intended addressee, you are hereby advised that any disclosure, reproduction, copy, distribution or other use of this information is strictly forbidden. If you have received this document by mistake, please immediately inform the sender by telephone, destroy and delete the information received from any hard disk or any media on which it may have been registered and do not keep any copy. Thank you for your cooperation.
carlopmart
>
> Hi
>
> Have done exacltely that on 3 Solaris servers one is server and agent
>
What steps have you followed? I am thinkin on this:
a) Install ossec as a server.
b) Remove syscheck, rootcheck and localfile params from ossec.conf on the server side.
c) Change ossec user's home to a different directories that ossec's install script
configure.
d) Add server as an agent using manage_agents script.
e) Install ossec again but this time as an agent ...
Could it work?
d.as...@cgi.com
But I did remove some functionality from the server side
I'm writhing a doc on it for the deployment team But basicali remove
In ossec.conf the services you don’t want doubled up
But first I installed the server in /opt/ossec-server
Then did same install has agent in /opt/opt/ossec-agent
Next started the server
Then added the agent using mange agent on the server side
Up t'il now no conflicts some tweaking of of the conf file
To remove or add functionality
But all this is in test mode to see if ossec will meet the
Requirements of the Torquemada of this world(corp. security)
Good luck
Dan
-----Message d'origine-----
De : ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] De la part de carlopmart
Envoyé : 15 déc. 2010 13:00
À : ossec...@googlegroups.com
Objet : Re: [ossec-list] Server and agent at the same time on the same host
Could it work?
Avis de confidentialité : Ce courriel et les pièces qui y sont jointes contiennent de l'information confidentielle et peuvent être protégés par le secret professionnel ou constituer de l’information privilégiée. Ils sont destinés à l'usage exclusif de la (des) personne(s) à qui ils sont adressés. Si vous n'êtes pas le destinataire visé ou la personne chargée de transmettre ce document à son destinataire, vous êtes avisé par la présente que toute divulgation, reproduction, copie, distribution ou autre utilisation de cette information est strictement interdite. Si vous avez reçu ce courriel par erreur, veuillez en aviser immédiatement l’expéditeur par téléphone ainsi que détruire et effacer l'information que vous avez reçue de tout disque dur ou autre média sur lequel elle peut être enregistrée et ne pas en conserver de copie. Merci de votre collaboration.
carlopmart
> And the answer is E
>
> But I did remove some functionality from the server side
>
> I'm writhing a doc on it for the deployment team But basicali remove
>
> But first I installed the server in /opt/ossec-server
> Then did same install has agent in /opt/opt/ossec-agent
>
> Next started the server
> Then added the agent using mange agent on the server side
>
> Up t'il now no conflicts some tweaking of of the conf file
> To remove or add functionality
>
> But all this is in test mode to see if ossec will meet the
> Requirements of the Torquemada of this world(corp. security)
>
> Good luck
> Dan
>
Thanks Dan.
I have installed ossec as a server disabling rootchek, syscheck and active
response. But when I launch ossec init script syscheckd is started. How can I
prevent to start syscheckd??
Thanks.
dan (ddp)
> On 12/15/2010 07:14 PM, d.as...@cgi.com wrote:
>>
>> And the answer is E
>>
>> But I did remove some functionality from the server side
>>
>> I'm writhing a doc on it for the deployment team But basicali remove
>>
>> But first I installed the server in /opt/ossec-server
>> Then did same install has agent in /opt/opt/ossec-agent
>>
>> Next started the server
>> Then added the agent using mange agent on the server side
>>
>> Up t'il now no conflicts some tweaking of of the conf file
>> To remove or add functionality
>>
>> But all this is in test mode to see if ossec will meet the
>> Requirements of the Torquemada of this world(corp. security)
>>
>> Good luck
>> Dan
>>
>
> Thanks Dan.
>
> I have installed ossec as a server disabling rootchek, syscheck and active
> response. But when I launch ossec init script syscheckd is started. How can
> I prevent to start syscheckd??
>
> Thanks.
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
I think, in the syscheck section, you can add
<disabled>yes</disabled>. I don't see it in the documentation, but I
see references in the source to it (which I can't dig into very much).
I kind of remember there being a similar optionf or rootcheck.
carlopmart
> On Wed, Dec 15, 2010 at 1:38 PM, carlopmart<carlo...@gmail.com> wrote:
>> On 12/15/2010 07:14 PM, d.as...@cgi.com wrote:
>>>
>>> And the answer is E
>>>
>>> But I did remove some functionality from the server side
>>>
>>> I'm writhing a doc on it for the deployment team But basicali remove
>>>
>>> But first I installed the server in /opt/ossec-server
>>> Then did same install has agent in /opt/opt/ossec-agent
>>>
>>> Next started the server
>>> Then added the agent using mange agent on the server side
>>>
>>> Up t'il now no conflicts some tweaking of of the conf file
>>> To remove or add functionality
>>>
>>> But all this is in test mode to see if ossec will meet the
>>> Requirements of the Torquemada of this world(corp. security)
>>>
>>> Good luck
>>> Dan
>>>
>>
>> Thanks Dan.
>>
>> I have installed ossec as a server disabling rootchek, syscheck and active
>> response. But when I launch ossec init script syscheckd is started. How can
>> I prevent to start syscheckd??
>>
>> Thanks.
>> --
>> CL Martinez
>> carlopmart {at} gmail {d0t} com
>>
>
> I think, in the syscheck section, you can add
> <disabled>yes</disabled>. I don't see it in the documentation, but I
> see references in the source to it (which I can't dig into very much).
> I kind of remember there being a similar optionf or rootcheck.
>
I have tried it, and doesn't works. Syscheckd is started ...
carlopmart
>
> Thanks Dan.
>
> I have installed ossec as a server disabling rootchek, syscheck and active response.
> But when I launch ossec init script syscheckd is started. How can I prevent to start
> syscheckd??
>
> Thanks.
Ok, It appears that the agent and the server installed on the same machine does not
work.
For example,
[root@lorien alerts]# /data/services/siem/ossec/bin/agent_control -l
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: lorien.hpulabs.org (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: lorien, IP: 172.25.70.19, Never connected
Maybe presents a problem 000 ID agent connected to localhost??.
Agent doesn't connects.
On the client side:
2010/12/15 19:55:15 ossec-execd(1350): INFO: Active response disabled. Exiting.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Started (pid: 9241).
2010/12/15 19:55:19 ossec-rootcheck: INFO: Started (pid: 9241).
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/messages'.
2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/secure'.
2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/maillog'.
2010/12/15 19:55:21 ossec-logcollector: INFO: Started (pid: 9237).
2010/12/15 19:56:21 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2010/12/15 19:56:21 ossec-syscheckd: WARN: Process locked. Waiting for permission...
2010/12/15 19:56:38 ossec-logcollector: WARN: Process locked. Waiting for permission...
At this point I have two questions:
a) Is it possible to assign hostname parameter to ALL server process??
b) Is it possible to bind ALL serve process to a specific IP? I know local_ip
param to use under ossec.conf, but it is only for listen, not to bind.
loyd. darby
storage. That way each server is monitoring local resources but writing
to the same ossec log.
--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297
Michael Starks
wrote:
> Hi all,
>
> Somebody know if it is possible to do two different installations on
> the same host, one as an agent and another as a server??
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
dan (ddp)
> On 12/15/2010 08:10 PM, dan (ddp) wrote:
>>
>> On Wed, Dec 15, 2010 at 1:38 PM, carlopmart<carlo...@gmail.com> wrote:
>>>
>>> On 12/15/2010 07:14 PM, d.as...@cgi.com wrote:
>>>>
>>>> And the answer is E
>>>>
>>>> But I did remove some functionality from the server side
>>>>
>>>> I'm writhing a doc on it for the deployment team But basicali remove
But does it do anything? If the process runs but doesn't do anything
does it matter that it runs?
You can also stop it from running by modifying the ossec-control
script. It's an easy little hack.
dan (ddp)
Try using 'any' instead of a specific IP address for the agent
installation. Since the source and destination are on the same system,
it might be trying to use loopback for the communications.
carlopmart
>>>
>>> I think, in the syscheck section, you can add
>>> <disabled>yes</disabled>. I don't see it in the documentation, but I
>>> see references in the source to it (which I can't dig into very much).
>>> I kind of remember there being a similar optionf or rootcheck.
>>>
>>
>> I have tried it, and doesn't works. Syscheckd is started ...
>>
>>
>> --
>> CL Martinez
>> carlopmart {at} gmail {d0t} com
>>
>
> But does it do anything? If the process runs but doesn't do anything
> does it matter that it runs?
> You can also stop it from running by modifying the ossec-control
> script. It's an easy little hack.
>
Maybe easier to install ossec as a server on both hosts and then use a load balancer
without using NAT to connect the agents ... This should work, right??
After I can use splunk to consolidate all ossec logs ...
carlopmart
> On Wed, 15 Dec 2010 18:38:23 +0100, carlopmart <carlo...@gmail.com> wrote:
>> Hi all,
>>
>> Somebody know if it is possible to do two different installations on
>> the same host, one as an agent and another as a server??
>
> Sure:
> http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-running-multiple-instances-on-one-box/
>
>
I have read it your blog post. But it doesn't works for me if I use agent and server.
For example: How do you prevent syscheckd starts??
Michael Starks
wrote:
<syscheck>
<disabled>yes</disabled>
</syscheck>
This may have already been mentioned.. I have not been following the
thread closely..