Centralized Agent Config issue, WARN: Unknown message received. No action defined.

amm....@gmail.com

unread,

Sep 3, 2013, 11:37:31 PM9/3/13

to ossec...@googlegroups.com

I'm running OSSEC 2.7 on CentOS 6.4 (Both Manager and Agent) I'm trying to get a centralized agent configuration going.

I've set both the Manager and Agent to run at debug level 2. I have verified that the firewall is disabled on both hosts and they are on the same subnet.

I'm attempting to make any modifications to agent.conf on the manager restart the ossec agent on the remote system.

When I make a modification to the /var/ossec/etc/shared/agent.conf file and watch the ossec.log on the manager I see the message:

ossec-remoted: DEBUG Sending file 'merged.mg' to agent.

As soon as the manager sends merged.mg to the Agent I see numerous lines like the following:

ossec-agentd: WARN: Unknown message received. No action defined.

I assume I have something improperly configured on the agent.

Here are the contents of agent.conf and ossec.conf on the Agent:

agent.conf:

<agent_config>

<auto_ignore>no</auto_ignore>

<alert_new_files>yes</alert_new_files>

<scan_on_start>no</scan_on_start>

<directories report_changes="yes" check_all="yes">/etc,/usr/bin,/usr/sbin,/opt/ossec/etc/shared</directories>

</syscheck>

</agent_config>

ossec.conf

<ossec_config>

<server-ip>192.168.140.138</server-ip>

</client>

</ossec_config>

Here is the ossec.conf on the Manager:

<ossec_config>

<email_notification>no</email_notification>

</global>

<rules>

<include>rules_config.xml</include>

<include>pam_rules.xml</include>

<include>sshd_rules.xml</include>

<include>telnetd_rules.xml</include>

<include>syslog_rules.xml</include>

<include>arpwatch_rules.xml</include>

<include>symantec-av_rules.xml</include>

<include>symantec-ws_rules.xml</include>

<include>pix_rules.xml</include>

<include>named_rules.xml</include>

<include>smbd_rules.xml</include>

<include>vsftpd_rules.xml</include>

<include>pure-ftpd_rules.xml</include>

<include>proftpd_rules.xml</include>

<include>ms_ftpd_rules.xml</include>

<include>ftpd_rules.xml</include>

<include>hordeimp_rules.xml</include>

<include>roundcube_rules.xml</include>

<include>wordpress_rules.xml</include>

<include>cimserver_rules.xml</include>

<include>vpopmail_rules.xml</include>

<include>vmpop3d_rules.xml</include>

<include>courier_rules.xml</include>

<include>web_rules.xml</include>

<include>web_appsec_rules.xml</include>

<include>apache_rules.xml</include>

<include>nginx_rules.xml</include>

<include>php_rules.xml</include>

<include>mysql_rules.xml</include>

<include>postgresql_rules.xml</include>

<include>ids_rules.xml</include>

<include>squid_rules.xml</include>

<include>firewall_rules.xml</include>

<include>cisco-ios_rules.xml</include>

<include>netscreenfw_rules.xml</include>

<include>sonicwall_rules.xml</include>

<include>postfix_rules.xml</include>

<include>sendmail_rules.xml</include>

<include>imapd_rules.xml</include>

<include>mailscanner_rules.xml</include>

<include>dovecot_rules.xml</include>

<include>ms-exchange_rules.xml</include>

<include>racoon_rules.xml</include>

<include>vpn_concentrator_rules.xml</include>

<include>spamd_rules.xml</include>

<include>msauth_rules.xml</include>

<include>mcafee_av_rules.xml</include>

<include>trend-osce_rules.xml</include>

<include>ms-se_rules.xml</include>

<include>zeus_rules.xml</include>

<include>solaris_bsm_rules.xml</include>

<include>vmware_rules.xml</include>

<include>ms_dhcp_rules.xml</include>

<include>asterisk_rules.xml</include>

<include>ossec_rules.xml</include>

<include>attack_rules.xml</include>

<include>openbsd_rules.xml</include>

<include>clam_av_rules.xml</include>

<include>bro-ids_rules.xml</include>

<include>dropbear_rules.xml</include>

<include>local_rules.xml</include>

</rules>

<ignore>/etc/mnttab</ignore>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

</syscheck>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>

</rootcheck>

<white_list>127.0.0.1</white_list>

<white_list>^localhost.localdomain$</white_list>

<white_list>192.168.140.2</white_list>

</global>

<connection>syslog</connection>

</remote>

<connection>secure</connection>

</remote>

<log_alert_level>1</log_alert_level>

</alerts>

<name>restart-ossec</name>

<executable>restart-ossec.sh</executable>

</command>

<active-response>

<command>restart-ossec</command>

<location>local</location>

<rules_id>510010</rules_id>

</active-response>

</ossec_config>

I have the following rule defined in /var/ossec/rules/local_rules.xml:

<if_sid>550</if_sid>

<match>/var/ossec/etc/shared/agent.conf</match>

<description>agent.conf has been modified.</description>

</rule>

Here are the permissions of /var/ossec/etc/shared on the Manager:

[root@ossec_server shared]# ls -la

total 176

drwxrwx---. 2 root ossec 4096 Sep 3 20:34 .

dr-xr-x---. 3 root ossec 4096 Sep 3 20:26 ..

-rw-r--r--. 1 root ossec 344 Sep 3 20:34 agent.conf

-r--r-----. 1 root ossec 115 Sep 3 20:34 ar.conf

-r--r-----. 1 root ossec 9501 Nov 8 2012 cis_debian_linux_rcl.txt

-r--r-----. 1 root ossec 8192 Nov 8 2012 cis_rhel5_linux_rcl.txt

-r--r-----. 1 root ossec 14251 Nov 8 2012 cis_rhel_linux_rcl.txt

-rw-r--r--. 1 ossecr ossec 70680 Sep 3 20:34 merged.mg

-r--r-----. 1 root ossec 14872 Nov 8 2012 rootkit_files.txt

-r--r-----. 1 root ossec 5193 Nov 8 2012 rootkit_trojans.txt

-r--r-----. 1 root ossec 4457 Nov 8 2012 system_audit_rcl.txt

-r--r-----. 1 root ossec 4682 Nov 8 2012 win_applications_rcl.txt

-r--r-----. 1 root ossec 3859 Nov 8 2012 win_audit_rcl.txt

-r--r-----. 1 root ossec 4929 Nov 8 2012 win_malware_rcl.txt

Here they are on the Agent:

[root@CentOS1 shared]# ls -la

total 176

drwxrwx---. 2 root ossec 4096 Sep 3 19:51 .

dr-xr-x---. 3 root ossec 4096 Sep 3 20:03 ..

-rw-r--r--. 1 ossec ossec 344 Sep 3 20:21 agent.conf

-rw-r--r--. 1 ossec ossec 115 Sep 3 20:21 ar.conf

-rwxrwx---. 1 root ossec 9501 Sep 3 20:21 cis_debian_linux_rcl.txt

-rwxrwx---. 1 root ossec 8192 Sep 3 20:21 cis_rhel5_linux_rcl.txt

-rwxrwx---. 1 root ossec 14251 Sep 3 20:21 cis_rhel_linux_rcl.txt

-rw-r--r--. 1 ossec ossec 70674 Sep 3 20:21 merged.mg

-rwxrwx---. 1 root ossec 14872 Sep 3 20:21 rootkit_files.txt

-rwxrwx---. 1 root ossec 5193 Sep 3 20:21 rootkit_trojans.txt

-rwxrwx---. 1 root ossec 4457 Sep 3 20:21 system_audit_rcl.txt

-rwxrwx---. 1 root ossec 4682 Sep 3 20:21 win_applications_rcl.txt

-rwxrwx---. 1 root ossec 3859 Sep 3 20:21 win_audit_rcl.txt

-rwxrwx---. 1 root ossec 4929 Sep 3 20:21 win_malware_rcl.txt

The remote agent responds to /var/ossec/bin/agent-control -R 1024 right away and without issue because of this I assume Active Response is working in some fashion.

Please let me know if you have any idea what is causing the "Unknown message received. No action defined." message or why the remote agents are not restarting when receiving a new agent.conf.

Thanks,

-AMM

dan (ddp)

unread,

Sep 4, 2013, 9:49:26 AM9/4/13

to ossec...@googlegroups.com

On Tue, Sep 3, 2013 at 11:37 PM, <amm....@gmail.com> wrote:
> I'm running OSSEC 2.7 on CentOS 6.4 (Both Manager and Agent) I'm trying to
> get a centralized agent configuration going.
>
> I've set both the Manager and Agent to run at debug level 2. I have verified
> that the firewall is disabled on both hosts and they are on the same subnet.
>
> I'm attempting to make any modifications to agent.conf on the manager
> restart the ossec agent on the remote system.
>
> When I make a modification to the /var/ossec/etc/shared/agent.conf file and
> watch the ossec.log on the manager I see the message:
>
> ossec-remoted: DEBUG Sending file 'merged.mg' to agent.
>
> As soon as the manager sends merged.mg to the Agent I see numerous lines
> like the following:
>
> ossec-agentd: WARN: Unknown message received. No action defined.
>

Try stopping the ossec processes on the server, moving merged.mg to
another directory, and starting the processes back up. If I'm
understanding the code correctly (and there is a good possibility I am
not right now), there is something in the merged.mg that isn't liked.
Perhaps make sure there are not odd files in the shared directory.

> I assume I have something improperly configured on the agent.
>
> Here are the contents of agent.conf and ossec.conf on the Agent:
>
> agent.conf:
> <agent_config>
> <syscheck>
> <frequency>3600</frequency>

I don't believe these 2 items do anything on agents.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

amm....@gmail.com

unread,

Sep 4, 2013, 12:00:24 PM9/4/13

to ossec...@googlegroups.com

On Wednesday, September 4, 2013 6:49:26 AM UTC-7, dan (ddpbsd) wrote:

On Tue, Sep 3, 2013 at 11:37 PM, <amm....@gmail.com> wrote:
> I'm running OSSEC 2.7 on CentOS 6.4 (Both Manager and Agent) I'm trying to
> get a centralized agent configuration going.
>
> I've set both the Manager and Agent to run at debug level 2. I have verified
> that the firewall is disabled on both hosts and they are on the same subnet.
>
> I'm attempting to make any modifications to agent.conf on the manager
> restart the ossec agent on the remote system.
>
> When I make a modification to the /var/ossec/etc/shared/agent.conf file and
> watch the ossec.log on the manager I see the message:
>
> ossec-remoted: DEBUG Sending file 'merged.mg' to agent.
>
> As soon as the manager sends merged.mg to the Agent I see numerous lines
> like the following:
>
> ossec-agentd: WARN: Unknown message received. No action defined.
>

Try stopping the ossec processes on the server, moving merged.mg to
another directory, and starting the processes back up. If I'm
understanding the code correctly (and there is a good possibility I am
not right now), there is something in the merged.mg that isn't liked.
Perhaps make sure there are not odd files in the shared directory.

I stopped the ossec processes the manager (/var/ossec/bin/ossec-control stop) and rm'd the merged.mg in /var/ossec/etc/shared/. After restarting the the manager I see the same symptoms.

On the Manager:

2013/09/04 08:51:11 ossec-remoted: DEBUG Sending file 'merged.mg' to agent.

On the Agent:

2013/09/04 08:51:11 ossec-agentd: WARN: Unknown message received. No action defined.

I don't see any strange items in /var/ossec/etc/shared:

[root@ossec_server shared]# ls -la

total 176

drwxrwx---. 2 root ossec 4096 Sep 4 08:56 .

dr-xr-x---. 3 root ossec 4096 Sep 3 20:26 ..

-rw-r--r--. 1 root ossec 354 Sep 4 08:47 agent.conf

-r--r-----. 1 root ossec 115 Sep 4 08:47 ar.conf

-r--r-----. 1 root ossec 9501 Nov 8 2012 cis_debian_linux_rcl.txt

-r--r-----. 1 root ossec 8192 Nov 8 2012 cis_rhel5_linux_rcl.txt

-r--r-----. 1 root ossec 14251 Nov 8 2012 cis_rhel_linux_rcl.txt

-rw-r--r--. 1 ossecr ossec 70684 Sep 4 08:47 merged.mg

-r--r-----. 1 root ossec 14872 Nov 8 2012 rootkit_files.txt

-r--r-----. 1 root ossec 5193 Nov 8 2012 rootkit_trojans.txt

-r--r-----. 1 root ossec 4457 Nov 8 2012 system_audit_rcl.txt

-r--r-----. 1 root ossec 4682 Nov 8 2012 win_applications_rcl.txt

-r--r-----. 1 root ossec 3859 Nov 8 2012 win_audit_rcl.txt

-r--r-----. 1 root ossec 4929 Nov 8 2012 win_malware_rcl.txt

I've attached my merged.mg file.

> I assume I have something improperly configured on the agent.
>
> Here are the contents of agent.conf and ossec.conf on the Agent:
>
> agent.conf:
> <agent_config>
> <syscheck>
> <frequency>3600</frequency>

I don't believe these 2 items do anything on agents.

Just to be clear your suggesting that auto_ignore and alert_new_files don't belong on agents? Seems to make sense since all the agent does is report the changes, I'll update the agent.conf.

merged.mg

dan (ddp)

unread,

Sep 4, 2013, 12:10:11 PM9/4/13

to ossec...@googlegroups.com

Is something not working correctly? If everything seems to be working
you could ignore the warning. You could also add some debug messages
to the code to help debug the issue.

amm....@gmail.com

unread,

Sep 4, 2013, 12:25:34 PM9/4/13

to ossec...@googlegroups.com

The agent is not being restarted when the new agent.conf is pushed out.

dan (ddp)

unread,

Sep 4, 2013, 12:48:12 PM9/4/13

to ossec...@googlegroups.com

Make sure 510010 is firing.

You can modify the line that looks like:
merror("%s: WARN: Unknown message received. No action defined.",

in src/client-agent/receiver.c to print tmp_msg as well.

amm....@gmail.com

unread,

Sep 4, 2013, 7:33:39 PM9/4/13

to ossec...@googlegroups.com

You were right the rule wasn't firing. I'm not 100% sure what was wrong but I think the rule was incorrectly put into local_rules.xml.

Once the rule was properly firing Active Response restarted the agent as expect.

Thanks for the help!

dan (ddp)

unread,

Sep 5, 2013, 9:26:17 AM9/5/13

to ossec...@googlegroups.com

That is where custom rules belong.

amm....@gmail.com

unread,

Sep 5, 2013, 4:47:44 PM9/5/13

to ossec...@googlegroups.com

I meant improperly formatted inside local_rules.xml

Reply all

Reply to author

Forward