Agent.conf not being copied to clients
81 views
Skip to first unread message
treydock
Jun 7, 2011, 11:26:00 AM6/7/11
to ossec-list
I've combed through the other posts on agent.conf, and have done all
the troubleshooting I could find on why this isn't working. The
agent.conf file is not being copied to the clients. I'm running OSSEC
2.5.1 on all clients and server.
Last night ( about 11 hours ago) I added an agent.conf to my central
server, restarted the server's management processes , and also
restarted the client process on two clients. One client I removed all
but the following..
<ossec_config>
<client>
<server-ip>128.194.198.99</server-ip>
</client>
</ossec_config>
One the other client I left the ossec.conf as is. Running checks on
the server's agent.conf, here's the permissions...
ls -la etc/shared/
total 180
drwxrwx--- 2 root ossec 4096 Jun 6 22:37 .
dr-xr-x--- 3 root ossec 4096 May 27 09:03 ..
-r--r----- 1 root ossec 3060 Jun 6 22:37 agent.conf
-r--r--r-- 1 root ossec 189 Jun 6 23:09 ar.conf
-r--r----- 1 root ossec 9425 Oct 12 2010 cis_debian_linux_rcl.txt
-r--r----- 1 root ossec 8123 Oct 12 2010 cis_rhel5_linux_rcl.txt
-r--r----- 1 root ossec 14181 Oct 12 2010 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 root ossec 73428 May 7 23:38 merged.mg
-r--r----- 1 root ossec 14811 Oct 12 2010 rootkit_files.txt
-r--r----- 1 root ossec 5229 Oct 12 2010 rootkit_trojans.txt
-r--r----- 1 root ossec 7929 Oct 12 2010 system_audit_rcl.txt
-r--r----- 1 root ossec 4614 Oct 12 2010 win_applications_rcl.txt
-r--r----- 1 root ossec 3798 Oct 12 2010 win_audit_rcl.txt
-r--r----- 1 root ossec 4866 Oct 12 2010 win_malware_rcl.txt
I have already ran "verify-agent-conf" with no output sent back
$ bin/verify-agent-conf
$
Here's sample output from when I restart the central server
2011/06/07 10:19:51 ossec-monitord(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-logcollector(1225): INFO: SIGNAL Received.
Exit Cleaning...
2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-analysisd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-maild(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-execd(1314): INFO: Shutdown received.
Deleting responses.
2011/06/07 10:19:51 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-testrule: INFO: Reading local decoder file.
2011/06/07 10:19:52 ossec-csyslogd: INFO: Started (pid: 16064).
2011/06/07 10:19:52 ossec-csyslogd: INFO: Forwarding alerts via syslog
to: '0.0.0.0:10002'.
2011/06/07 10:19:52 ossec-maild: INFO: Started (pid: 16068).
2011/06/07 10:19:52 ossec-execd: INFO: Started (pid: 16072).
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading local decoder file.
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'pure-
ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'cisco-
ios_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms-
exchange_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'trend-
osce_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms-
se_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Total rules enabled: '1121'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
mnttab'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
hosts.deny'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mail/
statistics'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/random-
seed'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
adjtime'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/
logs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/cups/
certs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
dumpdates'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/svc/
volatile'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
System32/LogFiles'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Debug'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
WindowsUpdate.log'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
iis6.log'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/wbem/Logs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/wbem/Repository'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Prefetch'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
PCHEALTH/HELPCTR/DataColl'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
SoftwareDistribution'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Temp'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/config'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/spool'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/CatRoot'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP:
'127.0.0.1'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: 7 IPs in the white list for
active response.
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing Hostname:
'localhost.localdomain'
2011/06/07 10:19:52 ossec-analysisd: INFO: 1 Hostname(s) in the white
list for active response.
2011/06/07 10:19:52 ossec-analysisd: INFO: Started (pid: 16078).
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16086).
2011/06/07 10:19:52 ossec-remoted: Remote syslog allowed from:
'0.0.0.0'
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16087).
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16088).
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted(4111): INFO: Maximum number of
agents allowed: '256'.
2011/06/07 10:19:52 ossec-remoted(1410): INFO: Reading authentication
keys file.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client1: '29:7341'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client2: '43:5553'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client3: '98:8938'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning sender counter:
4:5509
2011/06/07 10:19:52 ossec-monitord: INFO: Started (pid: 16098).
2011/06/07 10:19:55 ossec-analysisd: INFO: Connected to '/queue/alerts/
ar' (active-response queue)
2011/06/07 10:19:55 ossec-analysisd: INFO: Connected to '/queue/alerts/
execq' (exec queue)
2011/06/07 10:19:56 ossec-syscheckd: INFO: Started (pid: 16094).
2011/06/07 10:19:56 ossec-rootcheck: INFO: Started (pid: 16094).
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
etc'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/
bin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/
sbin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
bin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
sbin'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/messages'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/secure'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/maillog'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/httpd/error_log'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/httpd/access_log'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/ossec/logs/active-responses.log'.
2011/06/07 10:19:58 ossec-logcollector: INFO: Started (pid: 16082).
Here are the permissions on one of the client's "etc/shared" directory
# ls -la etc/shared/
total 176
drwxrwx--- 2 root ossec 4096 Mar 15 16:05 .
dr-xr-x--- 3 root ossec 4096 Jun 6 22:24 ..
-rw-r--r-- 1 ossec ossec 189 May 7 18:44 ar.conf
-rwxrwx--- 1 root ossec 9425 May 7 18:44 cis_debian_linux_rcl.txt
-rwxrwx--- 1 root ossec 8123 May 7 18:44 cis_rhel5_linux_rcl.txt
-rwxrwx--- 1 root ossec 14181 May 7 18:44 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossec ossec 73428 May 7 18:44 merged.mg
-rwxrwx--- 1 root ossec 14811 May 7 18:44 rootkit_files.txt
-rwxrwx--- 1 root ossec 5229 May 7 18:44 rootkit_trojans.txt
-rwxrwx--- 1 root ossec 7929 May 7 18:44 system_audit_rcl.txt
-rwxrwx--- 1 root ossec 4614 May 7 18:44 win_applications_rcl.txt
-rwxrwx--- 1 root ossec 3798 May 7 18:44 win_audit_rcl.txt
-rwxrwx--- 1 root ossec 4866 May 7 18:44 win_malware_rcl.txt
Here's the server's output info about one of the agents...note the
missing md5sum mentioned in the documentation...
$ bin/agent_control -i 003
OSSEC HIDS agent_control. Agent information:
Agent ID: 003
Agent Name: client1
IP address: 0.0.0.0
Status: Active
Operating system: Linux client1 2.6.18-194.32.1.el5 #1 SMP W..
Client version: OSSEC HIDS v2.5.1
Last keep alive: Tue Jun 7 10:21:36 2011
Syscheck last started at: Mon Jun 6 22:24:10 2011
Rootcheck last started at: Mon Jun 6 17:19:43 2011
Any suggestions??
Thanks!
- Trey
the troubleshooting I could find on why this isn't working. The
agent.conf file is not being copied to the clients. I'm running OSSEC
2.5.1 on all clients and server.
Last night ( about 11 hours ago) I added an agent.conf to my central
server, restarted the server's management processes , and also
restarted the client process on two clients. One client I removed all
but the following..
<ossec_config>
<client>
<server-ip>128.194.198.99</server-ip>
</client>
</ossec_config>
One the other client I left the ossec.conf as is. Running checks on
the server's agent.conf, here's the permissions...
ls -la etc/shared/
total 180
drwxrwx--- 2 root ossec 4096 Jun 6 22:37 .
dr-xr-x--- 3 root ossec 4096 May 27 09:03 ..
-r--r----- 1 root ossec 3060 Jun 6 22:37 agent.conf
-r--r--r-- 1 root ossec 189 Jun 6 23:09 ar.conf
-r--r----- 1 root ossec 9425 Oct 12 2010 cis_debian_linux_rcl.txt
-r--r----- 1 root ossec 8123 Oct 12 2010 cis_rhel5_linux_rcl.txt
-r--r----- 1 root ossec 14181 Oct 12 2010 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 root ossec 73428 May 7 23:38 merged.mg
-r--r----- 1 root ossec 14811 Oct 12 2010 rootkit_files.txt
-r--r----- 1 root ossec 5229 Oct 12 2010 rootkit_trojans.txt
-r--r----- 1 root ossec 7929 Oct 12 2010 system_audit_rcl.txt
-r--r----- 1 root ossec 4614 Oct 12 2010 win_applications_rcl.txt
-r--r----- 1 root ossec 3798 Oct 12 2010 win_audit_rcl.txt
-r--r----- 1 root ossec 4866 Oct 12 2010 win_malware_rcl.txt
I have already ran "verify-agent-conf" with no output sent back
$ bin/verify-agent-conf
$
Here's sample output from when I restart the central server
2011/06/07 10:19:51 ossec-monitord(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-logcollector(1225): INFO: SIGNAL Received.
Exit Cleaning...
2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-analysisd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-maild(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-execd(1314): INFO: Shutdown received.
Deleting responses.
2011/06/07 10:19:51 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/07 10:19:51 ossec-testrule: INFO: Reading local decoder file.
2011/06/07 10:19:52 ossec-csyslogd: INFO: Started (pid: 16064).
2011/06/07 10:19:52 ossec-csyslogd: INFO: Forwarding alerts via syslog
to: '0.0.0.0:10002'.
2011/06/07 10:19:52 ossec-maild: INFO: Started (pid: 16068).
2011/06/07 10:19:52 ossec-execd: INFO: Started (pid: 16072).
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading local decoder file.
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'pure-
ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'cisco-
ios_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms-
exchange_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'trend-
osce_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms-
se_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2011/06/07 10:19:52 ossec-analysisd: INFO: Total rules enabled: '1121'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
mnttab'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
hosts.deny'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mail/
statistics'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/random-
seed'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
adjtime'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/
logs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/cups/
certs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/
dumpdates'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/svc/
volatile'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
System32/LogFiles'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Debug'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
WindowsUpdate.log'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
iis6.log'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/wbem/Logs'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/wbem/Repository'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Prefetch'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
PCHEALTH/HELPCTR/DataColl'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
SoftwareDistribution'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
Temp'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/config'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/spool'
2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/
system32/CatRoot'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP:
'127.0.0.1'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0'
2011/06/07 10:19:52 ossec-analysisd: INFO: 7 IPs in the white list for
active response.
2011/06/07 10:19:52 ossec-analysisd: INFO: White listing Hostname:
'localhost.localdomain'
2011/06/07 10:19:52 ossec-analysisd: INFO: 1 Hostname(s) in the white
list for active response.
2011/06/07 10:19:52 ossec-analysisd: INFO: Started (pid: 16078).
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16086).
2011/06/07 10:19:52 ossec-remoted: Remote syslog allowed from:
'0.0.0.0'
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16087).
2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16088).
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged
file: '/etc/shared/merged.mg'.
2011/06/07 10:19:52 ossec-remoted(4111): INFO: Maximum number of
agents allowed: '256'.
2011/06/07 10:19:52 ossec-remoted(1410): INFO: Reading authentication
keys file.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client1: '29:7341'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client2: '43:5553'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent
client3: '98:8938'.
2011/06/07 10:19:52 ossec-remoted: INFO: Assigning sender counter:
4:5509
2011/06/07 10:19:52 ossec-monitord: INFO: Started (pid: 16098).
2011/06/07 10:19:55 ossec-analysisd: INFO: Connected to '/queue/alerts/
ar' (active-response queue)
2011/06/07 10:19:55 ossec-analysisd: INFO: Connected to '/queue/alerts/
execq' (exec queue)
2011/06/07 10:19:56 ossec-syscheckd: INFO: Started (pid: 16094).
2011/06/07 10:19:56 ossec-rootcheck: INFO: Started (pid: 16094).
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
etc'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/
bin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/
sbin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
bin'.
2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/
sbin'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/messages'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/secure'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/maillog'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/httpd/error_log'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/httpd/access_log'.
2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/
var/ossec/logs/active-responses.log'.
2011/06/07 10:19:58 ossec-logcollector: INFO: Started (pid: 16082).
Here are the permissions on one of the client's "etc/shared" directory
# ls -la etc/shared/
total 176
drwxrwx--- 2 root ossec 4096 Mar 15 16:05 .
dr-xr-x--- 3 root ossec 4096 Jun 6 22:24 ..
-rw-r--r-- 1 ossec ossec 189 May 7 18:44 ar.conf
-rwxrwx--- 1 root ossec 9425 May 7 18:44 cis_debian_linux_rcl.txt
-rwxrwx--- 1 root ossec 8123 May 7 18:44 cis_rhel5_linux_rcl.txt
-rwxrwx--- 1 root ossec 14181 May 7 18:44 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossec ossec 73428 May 7 18:44 merged.mg
-rwxrwx--- 1 root ossec 14811 May 7 18:44 rootkit_files.txt
-rwxrwx--- 1 root ossec 5229 May 7 18:44 rootkit_trojans.txt
-rwxrwx--- 1 root ossec 7929 May 7 18:44 system_audit_rcl.txt
-rwxrwx--- 1 root ossec 4614 May 7 18:44 win_applications_rcl.txt
-rwxrwx--- 1 root ossec 3798 May 7 18:44 win_audit_rcl.txt
-rwxrwx--- 1 root ossec 4866 May 7 18:44 win_malware_rcl.txt
Here's the server's output info about one of the agents...note the
missing md5sum mentioned in the documentation...
$ bin/agent_control -i 003
OSSEC HIDS agent_control. Agent information:
Agent ID: 003
Agent Name: client1
IP address: 0.0.0.0
Status: Active
Operating system: Linux client1 2.6.18-194.32.1.el5 #1 SMP W..
Client version: OSSEC HIDS v2.5.1
Last keep alive: Tue Jun 7 10:21:36 2011
Syscheck last started at: Mon Jun 6 22:24:10 2011
Rootcheck last started at: Mon Jun 6 17:19:43 2011
Any suggestions??
Thanks!
- Trey
dan (ddp)
Jun 7, 2011, 11:40:28 AM6/7/11
to ossec...@googlegroups.com
treydock
Jun 7, 2011, 4:25:04 PM6/7/11
to ossec-list
SUCCESS!! Thank you dan. I didn't ever think the ONLY error in my
logs could cause that file to not go down to clients..but upon fixing
the permissions and restarting both server and agent, the file is
there and working.
Would there be a reference to what permissions should be applied to
files used by OSSEC? I'd like to verify cause I noticed the default
permissions on files seems more permissive than on the server.
Something like Puppet could make enforcing the best permissions very
easy.
Thanks!
- Trey
> > 2011/06/07 10:19:52...
>
> read more »
logs could cause that file to not go down to clients..but upon fixing
the permissions and restarting both server and agent, the file is
there and working.
Would there be a reference to what permissions should be applied to
files used by OSSEC? I'd like to verify cause I noticed the default
permissions on files seems more permissive than on the server.
Something like Puppet could make enforcing the best permissions very
easy.
Thanks!
- Trey
>
> read more »
dan (ddp)
Jun 15, 2011, 3:54:48 PM6/15/11
to ossec...@googlegroups.com
There isn't a reference currently, but it's a good idea.
Reply all
Reply to author
Forward
0 new messages