ossec disconnects
483 views
Skip to first unread message
Sean Roe
Oct 17, 2017, 3:30:22 PM10/17/17
to Wazuh mailing list
Hi All,
I have had a problem for a while and while it was annoying it wasnt terminal, but now we are getting close to deploying wazuh across our prod environment and I need to resolve it.
I am getting literally hundreds of notification emails a day saying that a client has disconnected.
I have added the following to the shared/agent.conf to try and alleviate this:
<agent_config>
<client>
<server-ip>10.xx.xx.xx</server-ip>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
but it still continues. What is the best way to fix this?
Sean
I have had a problem for a while and while it was annoying it wasnt terminal, but now we are getting close to deploying wazuh across our prod environment and I need to resolve it.
I am getting literally hundreds of notification emails a day saying that a client has disconnected.
"Rule: 504 fired (level 3) -> "Ossec agent disconnected.""
I have added the following to the shared/agent.conf to try and alleviate this:
<agent_config>
<client>
<server-ip>10.xx.xx.xx</server-ip>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
but it still continues. What is the best way to fix this?
Sean
Sean Roe
Oct 17, 2017, 5:12:53 PM10/17/17
to Wazuh mailing list
I know part of it is I need to switch to tcp from udp. Can I run both at the same time while I make the switch over?
Thanks,
Sean
Thanks,
Sean
ch
Oct 17, 2017, 5:27:15 PM10/17/17
to Wazuh mailing list
As far as I know, you can't.
Regards,
Jose Luis Ruiz
Oct 17, 2017, 5:28:46 PM10/17/17
to Sean Roe, Wazuh mailing list
Hi Sean
The agent.conf doesn’t support these options, these options need to be added in your ossec.conf.
- File Integrity monitoring (syscheck)
- Rootkit detection (rootcheck)
- Log data collection (localfile)
- Security policy monitoring (rootcheck, wodle name=”open-scap”)
- Anti-flooding mechanism (bucket options)
- Labels for agent alerts (labels)
The question is, why your agents are having this problems?, in UDP the agents need to be disconnected more than 30 min to send the 504 agent disconnected, this mean that in UDP when you the alert 504 is triggered, the agent has been disconnected for 30 min… in TCP we detect the disconnection immediately (more noise but more secure that you are taking all alerts)
Can you look in your agents the ossec.log and verify the disconnections?, we have any error in the ossec.log in your agents?, maybe glitches in your network?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/116e6c6f-cb8a-4b39-b044-88c5cc194c39%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jose Luis Ruiz
Oct 17, 2017, 5:29:37 PM10/17/17
to ch, Wazuh mailing list
Agree with changux, you cannot have both at the same time.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a977376f-75de-45d6-b83f-b192054a2cfa%40googlegroups.com.
Sean Roe
Oct 18, 2017, 11:34:26 AM10/18/17
to Wazuh mailing list
OK, so I am to understand that
<client>
<server-ip>10.xx.xx.xx</server-ip>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
<time-reconnect>90</time-reconnect>
</client>
stanza cant go in the <agent_config> section? or does the <agent_config> not belong in agent.conf? That doesnt seem right.
As far as the underlying issue I think it may be a networking issue that the udp packets get dropped, but I cant verify that.
As far as the underlying issue I think it may be a networking issue that the udp packets get dropped, but I cant verify that.
Sean
On Tuesday, October 17, 2017 at 12:30:22 PM UTC-7, Sean Roe wrote:
Sean Roe
Oct 18, 2017, 4:53:03 PM10/18/17
to Wazuh mailing list
Hi All,
I have made the following change on the ossec.conf on the wazuh-manager server:
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
</remote>
and I have made the following change to the remote clients agent.conf:
<agent_config>
<client>
<server-ip>10.69.10.71</server-ip>
<protocol>tcp</protocol>
<notify_time>180</notify_time>
<time-reconnect>300</time-reconnect>
</client>
ect
none of the agents can connect to the wazuh manager. I did a
[root@mXXXXX etc]# netstat -an | grep 1514
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN
so I know the manager is listening 1514. But nothing can connect to it.
Erggggh
I have made the following change on the ossec.conf on the wazuh-manager server:
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
</remote>
and I have made the following change to the remote clients agent.conf:
<agent_config>
<client>
<server-ip>10.69.10.71</server-ip>
<protocol>tcp</protocol>
<notify_time>180</notify_time>
<time-reconnect>300</time-reconnect>
</client>
ect
none of the agents can connect to the wazuh manager. I did a
[root@mXXXXX etc]# netstat -an | grep 1514
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN
so I know the manager is listening 1514. But nothing can connect to it.
Erggggh
Sean
On Tuesday, October 17, 2017 at 12:30:22 PM UTC-7, Sean Roe wrote:
Jose Luis Ruiz
Oct 19, 2017, 4:13:32 PM10/19/17
to Sean Roe, Wazuh mailing list
Hi Sean, sorry for the delay, i can see that you are using <agent_config> this parameters are not valid for agent.conf and centralized configuration..
The following block needs to be in the ossec.conf in each agent, also needs to be inside the tag <ossec_config> as example a minimal configuration can be like the following:
<ossec_config>
<client>
<server-ip>10.69.10.71</server-ip>
<protocol>tcp</protocol>
<notify_time>180</notify_time>
<time-reconnect>300</time-reconnect>
</client>
</ossec_config>
<agent_config>
<client>
<server-ip>10.69.10.71</server-ip>
<protocol>tcp</protocol>
<notify_time>180</notify_time>
<time-reconnect>300</time-reconnect>
</client>
ect
Sean Roe
Oct 20, 2017, 12:44:28 PM10/20/17
to Wazuh mailing list
Hi Jose et al,
I made the changes suggested and removed the client block from the agent.conf. I am still experiencing timeouts and disconnects.
Sean
I made the changes suggested and removed the client block from the agent.conf. I am still experiencing timeouts and disconnects.
Sean
Sean Roe
Oct 23, 2017, 10:29:58 AM10/23/17
to Wazuh mailing list
Hi All,
I now have zero clients connected to my kibana/ossec server except for localhost. Here are the changes I have made:
on each clients /var/ossec/etc/ossec.conf I have included the following stanza and removed it from the agent.conf:
<ossec_config>
<client>
<server-ip>10.69.XX.XX</server-ip>
I now have zero clients connected to my kibana/ossec server except for localhost. Here are the changes I have made:
on each clients /var/ossec/etc/ossec.conf I have included the following stanza and removed it from the agent.conf:
<ossec_config>
<client>
<server-ip>10.69.XX.XX</server-ip>
<protocol>tcp</protocol>
<notify_time>180</notify_time>
<time-reconnect>300</time-reconnect>
</client>
ect....
I have checked that port 1514 is open for tcp connections. I have restarted the server. I am getting connections now, but when I did this before I initially got connections to the server but then they would drop off.
I have checked that port 1514 is open for tcp connections. I have restarted the server. I am getting connections now, but when I did this before I initially got connections to the server but then they would drop off.
Sean
On Tuesday, October 17, 2017 at 12:30:22 PM UTC-7, Sean Roe wrote:
Jose Luis Ruiz
Oct 23, 2017, 11:19:01 AM10/23/17
to Sean Roe, Wazuh mailing list
Hi Sean,
Can you verify if the service ossec-remoted is working in the manager side?
Can you do a cat /var/ossec/logs/ossec.log | grep ERROR in manager and one agent and send the output?
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/65ee057e-24e2-4513-bd7e-21fe465f3146%40googlegroups.com.
Sean Roe
Oct 23, 2017, 11:21:29 AM10/23/17
to Jose Luis Ruiz, Wazuh mailing list
here is the output requested:
2017/10/23 00:00:01 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:06:01 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:12:03 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:18:06 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:24:08 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:30:10 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:36:11 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:42:13 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:48:16 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:54:18 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:00:18 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:06:21 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:12:23 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:18:25 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:24:28 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:30:28 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:36:30 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:42:33 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:48:35 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:54:37 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:00:38 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:06:40 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:12:42 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:18:45 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:24:45 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:30:48 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:36:50 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:42:52 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:48:55 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:54:55 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:00:57 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:07:00 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:13:02 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:19:02 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:25:05 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:31:07 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:37:09 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:43:12 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:49:12 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:55:14 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:01:17 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:07:19 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:13:20 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:19:22 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:25:24 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:31:27 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:37:29 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:43:29 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:49:32 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:55:34 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:01:36 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:07:39 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:13:39 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:19:41 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:25:44 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:31:46 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:37:46 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:43:49 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:49:51 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:55:54 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:01:56 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:07:56 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:13:59 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:20:01 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:26:03 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:32:04 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:38:06 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:44:08 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:50:11 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:56:13 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:02:13 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:08:16 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:14:18 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:20:21 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:24:51 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:26:35 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:35 ossec-remoted: ERROR: Too big message size from 10.69.17.145.
2017/10/23 07:26:44 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:45 ossec-remoted: ERROR: Too big message size from 10.69.34.23.
2017/10/23 07:26:47 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:48 ossec-remoted: ERROR: Too big message size from 10.69.18.43.
2017/10/23 07:26:48 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:48 ossec-remoted: ERROR: Too big message size from 10.69.17.146.
2017/10/23 07:26:49 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:50 ossec-remoted: ERROR: Too big message size from 10.69.34.43.
2017/10/23 07:26:54 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:54 ossec-remoted: ERROR: Too big message size from 10.69.32.130.
2017/10/23 07:26:58 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:58 ossec-remoted: ERROR: Too big message size from 10.69.81.122.
2017/10/23 07:27:02 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:02 ossec-remoted: ERROR: Too big message size from 10.69.65.38.
2017/10/23 07:27:05 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:06 ossec-remoted: ERROR: Too big message size from 10.69.32.131.
2017/10/23 07:27:08 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:08 ossec-remoted: ERROR: Too big message size from 10.69.65.73.
2017/10/23 07:27:11 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:11 ossec-remoted: ERROR: Too big message size from 10.69.18.21.
2017/10/23 07:27:12 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:12 ossec-remoted: ERROR: Too big message size from 10.69.34.24.
2017/10/23 07:27:13 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:13 ossec-remoted: ERROR: Too big message size from 10.69.64.53.
2017/10/23 07:27:17 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:17 ossec-remoted: ERROR: Too big message size from 10.69.80.30.
2017/10/23 07:27:19 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:19 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:19 ossec-remoted: ERROR: Too big message size from 10.69.64.120.
2017/10/23 07:27:19 ossec-remoted: ERROR: Too big message size from 10.69.81.145.
2017/10/23 07:27:24 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:25 ossec-remoted: ERROR: Too big message size from 10.69.33.145.
2017/10/23 07:27:25 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:25 ossec-remoted: ERROR: Too big message size from 10.69.65.20.
2017/10/23 07:27:26 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:27 ossec-remoted: ERROR: Too big message size from 10.69.18.22.
2017/10/23 07:27:27 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:27 ossec-remoted: ERROR: Too big message size from 10.69.81.25.
2017/10/23 07:27:28 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:28 ossec-remoted: ERROR: Too big message size from 10.69.64.121.
2017/10/23 07:27:28 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:29 ossec-remoted: ERROR: Too big message size from 10.69.33.22.
2017/10/23 07:27:31 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:31 ossec-remoted: ERROR: Too big message size from 10.69.64.32.
2017/10/23 07:27:33 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:33 ossec-remoted: ERROR: Too big message size from 10.69.81.36.
2017/10/23 07:27:34 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:35 ossec-remoted: ERROR: Too big message size from 10.69.33.63.
2017/10/23 07:27:37 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:37 ossec-remoted: ERROR: Too big message size from 10.69.73.22.
2017/10/23 07:27:38 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:38 ossec-remoted: ERROR: Too big message size from 10.69.34.44.
2017/10/23 07:27:39 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:39 ossec-remoted: ERROR: Too big message size from 10.69.16.131.
2017/10/23 07:27:41 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:41 ossec-remoted: ERROR: Too big message size from 10.69.65.63.
2017/10/23 07:27:43 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:43 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:43 ossec-remoted: ERROR: Too big message size from 10.69.16.130.
2017/10/23 07:27:44 ossec-remoted: ERROR: Too big message size from 10.69.81.21.
2017/10/23 07:27:46 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:47 ossec-remoted: ERROR: Too big message size from 10.69.73.21.
2017/10/23 07:27:50 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:50 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:50 ossec-remoted: ERROR: Too big message size from 10.69.80.44.
2017/10/23 07:27:51 ossec-remoted: ERROR: Too big message size from 10.69.65.54.
2017/10/23 07:27:51 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:51 ossec-remoted: ERROR: Too big message size from 10.69.65.43.
2017/10/23 07:27:54 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:54 ossec-remoted: ERROR: Too big message size from 10.69.66.20.
2017/10/23 07:27:55 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:55 ossec-remoted: ERROR: Too big message size from 10.69.72.33.
2017/10/23 07:27:57 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:57 ossec-remoted: ERROR: Too big message size from 10.69.33.23.
2017/10/23 07:30:53 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:36:55 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:42:58 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:49:00 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:55:00 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 08:01:03 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 08:07:05 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 08:13:07 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 08:19:10 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
Sean2017/10/23 00:00:01 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:06:01 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:12:03 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:18:06 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:24:08 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:30:10 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:36:11 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:42:13 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:48:16 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 00:54:18 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:00:18 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:06:21 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:12:23 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:18:25 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:24:28 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:30:28 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:36:30 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:42:33 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:48:35 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 01:54:37 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:00:38 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:06:40 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:12:42 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:18:45 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:24:45 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:30:48 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:36:50 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:42:52 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:48:55 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 02:54:55 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:00:57 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:07:00 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:13:02 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:19:02 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:25:05 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:31:07 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:37:09 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:43:12 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:49:12 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 03:55:14 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:01:17 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:07:19 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:13:20 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:19:22 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:25:24 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:31:27 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:37:29 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:43:29 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:49:32 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 04:55:34 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:01:36 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:07:39 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:13:39 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:19:41 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:25:44 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:31:46 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:37:46 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:43:49 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:49:51 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 05:55:54 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:01:56 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:07:56 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:13:59 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:20:01 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:26:03 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:32:04 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:38:06 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:44:08 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:50:11 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 06:56:13 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:02:13 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:08:16 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:14:18 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:20:21 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:24:51 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:26:35 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:35 ossec-remoted: ERROR: Too big message size from 10.69.17.145.
2017/10/23 07:26:44 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:45 ossec-remoted: ERROR: Too big message size from 10.69.34.23.
2017/10/23 07:26:47 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:48 ossec-remoted: ERROR: Too big message size from 10.69.18.43.
2017/10/23 07:26:48 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:48 ossec-remoted: ERROR: Too big message size from 10.69.17.146.
2017/10/23 07:26:49 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:50 ossec-remoted: ERROR: Too big message size from 10.69.34.43.
2017/10/23 07:26:54 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:54 ossec-remoted: ERROR: Too big message size from 10.69.32.130.
2017/10/23 07:26:58 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:26:58 ossec-remoted: ERROR: Too big message size from 10.69.81.122.
2017/10/23 07:27:02 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:02 ossec-remoted: ERROR: Too big message size from 10.69.65.38.
2017/10/23 07:27:05 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:06 ossec-remoted: ERROR: Too big message size from 10.69.32.131.
2017/10/23 07:27:08 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:08 ossec-remoted: ERROR: Too big message size from 10.69.65.73.
2017/10/23 07:27:11 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:11 ossec-remoted: ERROR: Too big message size from 10.69.18.21.
2017/10/23 07:27:12 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:12 ossec-remoted: ERROR: Too big message size from 10.69.34.24.
2017/10/23 07:27:13 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:13 ossec-remoted: ERROR: Too big message size from 10.69.64.53.
2017/10/23 07:27:17 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:17 ossec-remoted: ERROR: Too big message size from 10.69.80.30.
2017/10/23 07:27:19 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:19 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:19 ossec-remoted: ERROR: Too big message size from 10.69.64.120.
2017/10/23 07:27:19 ossec-remoted: ERROR: Too big message size from 10.69.81.145.
2017/10/23 07:27:24 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:25 ossec-remoted: ERROR: Too big message size from 10.69.33.145.
2017/10/23 07:27:25 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:25 ossec-remoted: ERROR: Too big message size from 10.69.65.20.
2017/10/23 07:27:26 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:27 ossec-remoted: ERROR: Too big message size from 10.69.18.22.
2017/10/23 07:27:27 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:27 ossec-remoted: ERROR: Too big message size from 10.69.81.25.
2017/10/23 07:27:28 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:28 ossec-remoted: ERROR: Too big message size from 10.69.64.121.
2017/10/23 07:27:28 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:29 ossec-remoted: ERROR: Too big message size from 10.69.33.22.
2017/10/23 07:27:31 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:31 ossec-remoted: ERROR: Too big message size from 10.69.64.32.
2017/10/23 07:27:33 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:33 ossec-remoted: ERROR: Too big message size from 10.69.81.36.
2017/10/23 07:27:34 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:35 ossec-remoted: ERROR: Too big message size from 10.69.33.63.
2017/10/23 07:27:37 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:37 ossec-remoted: ERROR: Too big message size from 10.69.73.22.
2017/10/23 07:27:38 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:38 ossec-remoted: ERROR: Too big message size from 10.69.34.44.
2017/10/23 07:27:39 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:39 ossec-remoted: ERROR: Too big message size from 10.69.16.131.
2017/10/23 07:27:41 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:41 ossec-remoted: ERROR: Too big message size from 10.69.65.63.
2017/10/23 07:27:43 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:43 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:43 ossec-remoted: ERROR: Too big message size from 10.69.16.130.
2017/10/23 07:27:44 ossec-remoted: ERROR: Too big message size from 10.69.81.21.
2017/10/23 07:27:46 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:47 ossec-remoted: ERROR: Too big message size from 10.69.73.21.
2017/10/23 07:27:50 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:50 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:50 ossec-remoted: ERROR: Too big message size from 10.69.80.44.
2017/10/23 07:27:51 ossec-remoted: ERROR: Too big message size from 10.69.65.54.
2017/10/23 07:27:51 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:51 ossec-remoted: ERROR: Too big message size from 10.69.65.43.
2017/10/23 07:27:54 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:54 ossec-remoted: ERROR: Too big message size from 10.69.66.20.
2017/10/23 07:27:55 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:55 ossec-remoted: ERROR: Too big message size from 10.69.72.33.
2017/10/23 07:27:57 ossec-remoted: ERROR: (2202): Error uncompressing string.
2017/10/23 07:27:57 ossec-remoted: ERROR: Too big message size from 10.69.33.23.
2017/10/23 07:30:53 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:36:55 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:42:58 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:49:00 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 07:55:00 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 08:01:03 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 08:07:05 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 08:13:07 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
2017/10/23 08:19:10 ossec-analysisd: ERROR: Read error on /queue/diff/mvsc1lx0071/535/last-entry
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
Sean Roe
Oct 23, 2017, 3:33:55 PM10/23/17
to Wazuh mailing list
Hi All,
I went ahead and stripped out all the extra stuff out of the ossec.conf, so I was left with just the following:
I went ahead and stripped out all the extra stuff out of the ossec.conf, so I was left with just the following:
<ossec_config>
<client>
<server-ip>10.69.XX.XX</server-ip>
<protocol>tcp</protocol>
<notify_time>180</notify_time>
<time-reconnect>300</time-reconnect>
</client>
<active-response>
<disabled>no</disabled>
</active-response>
<!-- File integrity monitoring -->
<syscheck>
<scan_on_start>yes</scan_on_start>
<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories>
</syscheck>
</ossec_config>
and I edited down the agent .conf to:
<agent_config>
<syscheck>
<!-- Frequency that syscheck is executed -- default every 2 hours -->
<frequency>7200</frequency>
<auto_ignore>yes</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_md5sum="yes" check_size="yes" check_owner="yes" check_group="yes" check_perm="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_md5sum="yes" check_size="yes" check_owner="yes" check_group="yes" check_perm="yes">/bin,/sbin,/boot</directories>
<directories check_md5sum="yes" check_size="yes" check_owner="yes" check_group="yes" check_perm="yes">/v40,/u11,/u4</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/prelink.cache</ignore>
<ignore type="sregex">.dlt$|.zip$|.pdf$|.PDF$|.data$|.log$|.log.$|.pld$|.aud$|.cfs$|.cfx$|.UFAX$|.DAT$|.rdf$|.rep$|.trc$|.trm$|.xdo$|.xdoz$|.xdm$|.html$|.server_access_log$|.txt$|.yaml$</ignore>
<ignore type="sregex">.opmndat$|.ams$|.tmp$|.lst$|.lst1$|.lst2$|.lst3$|.lst4$|.out$|.lis$|.err$</ignore>
<ignore type="sregex">.Cache$</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/error_log</location>
</localfile>
</agent_config>
I deployed those files to all of my agents. I went ahead and restarted the manager and initially most of the agents reconnected. They have since dropped off and I am back to the beginning.
<disabled>no</disabled>
</active-response>
<!-- File integrity monitoring -->
<syscheck>
<scan_on_start>yes</scan_on_start>
<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories>
</syscheck>
</ossec_config>
and I edited down the agent .conf to:
<agent_config>
<syscheck>
<!-- Frequency that syscheck is executed -- default every 2 hours -->
<frequency>7200</frequency>
<auto_ignore>yes</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories check_md5sum="yes" check_size="yes" check_owner="yes" check_group="yes" check_perm="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_md5sum="yes" check_size="yes" check_owner="yes" check_group="yes" check_perm="yes">/bin,/sbin,/boot</directories>
<directories check_md5sum="yes" check_size="yes" check_owner="yes" check_group="yes" check_perm="yes">/v40,/u11,/u4</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/prelink.cache</ignore>
<ignore type="sregex">.dlt$|.zip$|.pdf$|.PDF$|.data$|.log$|.log.$|.pld$|.aud$|.cfs$|.cfx$|.UFAX$|.DAT$|.rdf$|.rep$|.trc$|.trm$|.xdo$|.xdoz$|.xdm$|.html$|.server_access_log$|.txt$|.yaml$</ignore>
<ignore type="sregex">.opmndat$|.ams$|.tmp$|.lst$|.lst1$|.lst2$|.lst3$|.lst4$|.out$|.lis$|.err$</ignore>
<ignore type="sregex">.Cache$</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/authlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/xferlog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/access_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/www/logs/error_log</location>
</localfile>
</agent_config>
I deployed those files to all of my agents. I went ahead and restarted the manager and initially most of the agents reconnected. They have since dropped off and I am back to the beginning.
On Tuesday, October 17, 2017 at 12:30:22 PM UTC-7, Sean Roe wrote:
but it still continues. Any other suggestions?
Sean
Reply all
Reply to author
Forward
0 new messages