On Tue, Sep 26, 2017 at 1:41 PM, Oh Ar <perlh...@gmail.com> wrote: > When I try to start the agent, I get a message that the logcollector module > has failed. > > 2017/09/22 14:52:01 ossec-logcollector: Remote commands are not accepted > from the manager. Ignoring it on the agent.conf > 2017/09/22 14:52:01 ossec-logcollector(1202): ERROR: Configuration error at > '/var/ossec/ossec-agent/etc/shared/agent.conf'. Exiting. > > This only happens when I have commands in the localfile section of the > agent.conf file, i.e.: > > > > <localfile> > <log_format>full_command</log_format> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command> > <frequency>360</frequency> > </localfile> > > > When I take these out of the agent.conf file, the error goes away, but from > reading the manual, it seems like I should be able to run these commands. >
Did you set "logcollector.remote_commands" to 1 in agent's "ossec/etc/local_internal_options.conf"? If this is set to 0 (the default), remote commands are not accepted by the agent. > Another problem I'm having is that when I try to restart the agent, I get > the following set of messages: > > 2017/09/22 14:52:01 ossec-syscheckd: WARN: Syscheck disabled. > 2017/09/22 14:52:01 rootcheck: Rootcheck disabled. Exiting. > 2017/09/22 14:52:01 ossec-syscheckd: WARN: Rootcheck module disabled. > > And I haven't had any luck with Google to find a solution. Every hit for > that phrase I've come up with has been for people who want to turn syscheck > off, not people who were having trouble turning it on. > Do you have any <directories> defined in the agent's ossec.conf? I can't think of any other way to disable syscheck. > Lastly, I'm getting an email from the system every hour that has messages > from every few seconds of the format: > OSSEC HIDS Notification. > 2017 Sep 22 14:41:01 > > Received From: (avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 > Rule: 503 fired (level 3) -> "Ossec agent started." > Portion of the log(s): > > ossec: Agent started: 'avtest->10.234.199.51'. > > > > --END OF NOTIFICATION > > I don't know why it's telling me that the agent has started every 5 seconds > or so, unless the agent is restarting every 5 seconds or so. And if the > agent is restarting every 5 seconds or so, I want to make it *stop*. :D > Never seen that issue, you can check the agent's ossec.log for clues as to what is happening. > I've attached the files that the OSSEC page recommends including with > requests for help. Thanks in advance. :) > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.