Re: [ossec-list] ossec centralized configuration
carlopmart
>
> We have many distro in our network ubuntu/redhat/gentoo etc.. also few
> are high end servers and few are low end. so according that i want to
> manage them centralized I want to change syscheck scan time frequency
> etc.. different on low and high end servers. I want to disable active
> response on my iptable firewall server etc.. so how should i maintain
> all different different agent requirement in central location ?
>
> In above document they are saying<agent_config name=”agent1|agent2″>
> what is this means ? is this my hostname or my agent actual name
> which i configured in OSSEC ?
It is your agent's name. One tip: use of <agent_config
name=”agent1|agent2″> doesn't works, at least at 2.5.1. You need to
create an agent config for every agent you like to administer.
>
> And how to disable active response on specific agent ? do i need to
> add disable option in agents.conf or individual agents ossec.conf file
> ?
>
using centralized configuration, only in agents.conf.
> anybody has example files please post me i will appreciate your great help
>
> -Satish
--
CL Martinez
carlopmart {at} gmail {d0t} com
satish patel
I am planing to put everything in central location. and i started
reading http://www.ossec.net/main/manual/centralized-config/ This
document quite confusing me. Let me explain my requirement.
We have many distro in our network ubuntu/redhat/gentoo etc.. also few
are high end servers and few are low end. so according that i want to
manage them centralized I want to change syscheck scan time frequency
etc.. different on low and high end servers. I want to disable active
response on my iptable firewall server etc.. so how should i maintain
all different different agent requirement in central location ?
In above document they are saying <agent_config name=”agent1|agent2″>
what is this means ? is this my hostname or my agent actual name
which i configured in OSSEC ?
And how to disable active response on specific agent ? do i need to
add disable option in agents.conf or individual agents ossec.conf file
?
anybody has example files please post me i will appreciate your great help
-Satish
satish patel
restart agent i got follwoing error "No file configured to monitor" I
did specify each and every log files in agents.conf
Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
Started ossec-execd...
Started ossec-agentd...
2011/03/03 09:30:38 ossec-logcollector(1905): INFO: No file configured
to monitor.
Started ossec-logcollector...
2011/03/03 09:30:38 ossec-syscheckd(1702): INFO: No directory provided
for syscheck to monitor.
2011/03/03 09:30:38 ossec-syscheckd: WARN: Syscheck disabled.
Started ossec-syscheckd...
Completed.
On Thu, Mar 3, 2011 at 12:04 PM, satish patel <sati...@gmail.com> wrote:
> This boy did a great job in documentation of centralized
> configuration. We would like this kind of doc on ossec.net website.
>
> http://blog.godshell.com/blog/archives/274-WoO-Day-3-Meet-the-agent.htmla
>
>
> On Thu, Mar 3, 2011 at 11:52 AM, satish patel <sati...@gmail.com> wrote:
>> Added: This document need to specify which side its talking about
>> client/server (agent/manager)
>> http://www.ossec.net/main/manual/centralized-config/
>>
>> There is no keyword regarding this is agents side config or manager side ?
>>
>> -Satish
>>
>>
>>
>>
>> On Thu, Mar 3, 2011 at 11:35 AM, satish patel <sati...@gmail.com> wrote:
>>> I have 2.5.1 latest
>>>
>>> on Server /var/ossec/etc/shared/agents.conf right ?
>>>
>>> what configuration file on agents ?
>>>
>>>
>>> Do you have example one?
satish patel
client/server (agent/manager)
http://www.ossec.net/main/manual/centralized-config/
There is no keyword regarding this is agents side config or manager side ?
-Satish
On Thu, Mar 3, 2011 at 11:35 AM, satish patel <sati...@gmail.com> wrote:
> I have 2.5.1 latest
>
> on Server /var/ossec/etc/shared/agents.conf right ?
>
> what configuration file on agents ?
>
>
> Do you have example one?
>
>
> On Thu, Mar 3, 2011 at 11:22 AM, carlopmart <carlo...@gmail.com> wrote:
satish patel
typo error in agent.conf at server
carlopmart
> Look like my managment server pushed agent.conf to client after
> restart agent i got follwoing error "No file configured to monitor" I
> did specify each and every log files in agents.conf
>
> Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
> Started ossec-execd...
> Started ossec-agentd...
> 2011/03/03 09:30:38 ossec-logcollector(1905): INFO: No file configured
> to monitor.
> Started ossec-logcollector...
> 2011/03/03 09:30:38 ossec-syscheckd(1702): INFO: No directory provided
> for syscheck to monitor.
> 2011/03/03 09:30:38 ossec-syscheckd: WARN: Syscheck disabled.
> Started ossec-syscheckd...
> Completed.
>
>
It is a common error. If agent doesn't have any file or directory to
monitor under ossec.conf, shows this alarm. After some seconds, server
push agents.conf to agent and this error disappears if you restart agent
(local or remote)
satish patel
on Server /var/ossec/etc/shared/agents.conf right ?
what configuration file on agents ?
Do you have example one?
On Thu, Mar 3, 2011 at 11:22 AM, carlopmart <carlo...@gmail.com> wrote:
satish patel
That has been fix. Now i want to disable AR on specific agent and i
add following code in agent.conf but it doesn't working... still AR is
active on that node
<agent_config name="devserver1">
<active-response>
<disabled>yes</disabled>
</active-response>
</agent_config>
satish patel
configuration. We would like this kind of doc on ossec.net website.
http://blog.godshell.com/blog/archives/274-WoO-Day-3-Meet-the-agent.htmla
carlopmart
> Thanks bro,
>
> That has been fix. Now i want to disable AR on specific agent and i
> add following code in agent.conf but it doesn't working... still AR is
> active on that node
>
> <agent_config name="devserver1">
> <active-response>
> <disabled>yes</disabled>
> </active-response>
> </agent_config>
>
>
>
>
Agent has reloaded agent.conf file?? try with this command:
/opt/ossec/bin/agent_control -i 001
OSSEC HIDS agent_control. Agent information:
Agent ID: 001
Agent Name: rhelauthsrv
IP address: 172.25.50.10
Status: Active
Operating system: Linux rhelsrv01.hpulabs.org
2.6.32-71.14.1.el6.x86_64 ..
Client version: OSSEC HIDS v2.5.1 /
689ae94cd232e6b5c503e6148a08b49b
Last keep alive: Thu Mar 3 19:23:09 2011
Syscheck last started at: Thu Mar 3 18:14:44 2011
Rootcheck last started at: Thu Mar 3 18:19:19 2011
md5sum needs to be the same on agent and server. And try to restart
ossec services on the agent side if needed ...
satish patel
everything is correct. What other way to disable AR?
root@vmg035:/var/ossec/etc/shared# md5sum /var/ossec/etc/shared/agent.conf
f4c01366249fcc231d8015e616f76aee /var/ossec/etc/shared/agent.conf
root@vmg035:/var/ossec/etc/shared# /var/ossec/bin/agent_control -i 002
OSSEC HIDS agent_control. Agent information:
Agent ID: 002
Agent Name: devserver1
IP address: 172.24.10.51
Status: Active
Operating system: Linux devserver1.west.com 2.6.9-89.0.25.ELsmp #1 S..
Client version: OSSEC HIDS v2.5.1 / f4c01366249fcc231d8015e616f76aee
Last keep alive: Thu Mar 3 11:21:51 2011
Syscheck last started at: Thu Mar 3 09:41:15 2011
Rootcheck last started at: Thu Mar 3 09:55:00 2011
carlopmart
restart agent.
satish patel
I need everything in agent.conf not ossec.conf It would be painful to
manager more than 50 hosts by editing each ossec.conf file.. at
auditing time we need AR disable and after auditing we need that
option enable. I meant we are running few scanner and bunch of
security vulnerability tools.
Just wanted to know its possible to disable AR via agent.conf or not ?
-Satish
carlopmart
response under agent.conf instead of ossec.conf ...
Have you tried to disable iptables at startup and launch ossec process
on the agent side using centralized configuration??
satish patel
should wait few min after restart service.
On Thu, Mar 3, 2011 at 4:02 PM, satish patel <sati...@gmail.com> wrote:
> can you copy paste you agent.conf is active-respose should comes
> under syscheck section ?
>
>
> I can't disable iptable because this is my firewall server
> (production). Best help is please copy paste you agent.conf to me.
>
> also i have added few custom logs to agent.conf that also not
> working... :( look like i am doing something wrong in agent.conf
> please someone send me full agent.conf
>
>
> <!-- fw01server extra logfiles for ubuntu OS -->
> <agent_config name="fw01server ">
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/auth.log</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/syslog</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/mail.info</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/dpkg.log</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/apache2/error.log</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/apache2/access.log</location>
> </localfile>
> </agent_config>
carlopmart
this is my agent.conf for one agent:
<agent_config name="rhelauthsrv">
<syscheck>
<frequency>79200</frequency>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<directories report_changes="yes" realtime="yes"
check_all="yes">/etc</directories>
<directories
check_all="yes">/usr/bin,/usr/sbin,/bin,/sbin</directories>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/aliases.db</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/lvm/cache/.cache</ignore>
<ignore>/etc/mtab</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</agent_config>
satish patel
satish patel
root@vmg035:/var/ossec/etc/shared# cat agent.conf
<agent_config>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 2 hours -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- No scan at start service time -->
<scan_on_start>no</scan_on_start>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/etc/motd</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
</agent_config>
<!-- Redhat Linux Logfiles monitor -->
<agent_config name="dev01|dev01">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/vsftpd.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</agent_config>
<!-- sebfwint1 extra logfiles for ubuntu OS -->
Jason 'XenoPhage' Frisvold
> This boy did a great job in documentation of centralized
> configuration. We would like this kind of doc on ossec.net website.
>
> http://blog.godshell.com/blog/archives/274-WoO-Day-3-Meet-the-agent.htmla
Wow, uh, thanks. I tried to make everything as concise as I could to make it more readable. I'll see if I can take a look at the OSSEC manual itself and try to make it more readable.
---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law
Jason 'XenoPhage' Frisvold
> Look like my managment server pushed agent.conf to client after
> restart agent i got follwoing error "No file configured to monitor" I
> did specify each and every log files in agents.conf
>
> Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
> Started ossec-execd...
> Started ossec-agentd...
> 2011/03/03 09:30:38 ossec-logcollector(1905): INFO: No file configured
> to monitor.
> Started ossec-logcollector...
> 2011/03/03 09:30:38 ossec-syscheckd(1702): INFO: No directory provided
> for syscheck to monitor.
> 2011/03/03 09:30:38 ossec-syscheckd: WARN: Syscheck disabled.
> Started ossec-syscheckd...
> Completed.
You may see this on a new client (agent) install, especially if you modify the client ossec.conf to only contain the IP of the server. I handle this by starting the client, waiting a few moments, and then restarting the client. Typically the agent.conf is sent from the server to the client within the first few seconds so a restart causes the client to properly see the agent.conf file and act accordingly.
Jason 'XenoPhage' Frisvold
> Added: This document need to specify which side its talking about
> client/server (agent/manager)
> http://www.ossec.net/main/manual/centralized-config/
>
> There is no keyword regarding this is agents side config or manager side ?
In this particular document, all commands and configuration edits are on the server side. The exception being "Restart the agent" which, obviously, must happen on the agent. Or, I suppose you could use agent_control on the server side as well, now that I think about it.
> -Satish