[ossec-list] Authd - IP = ANY
Hello, My output from: */var/ossec/bin/agent_control -l* has an agent displayed as the following: *ID: 1024, Name: NagiosXI, IP: any, Active* Which is expected based on the documentation in ossec.net = *ossec-authd*will create an agent with an ip address of any instead of using its actual IP. Now that the agent is registered, how can I safely update the any field in OSSEC to display the correct IP as opposed to the value of any? I am using the output of */var/ossec/bin/agent_control -l /tmp/report.txt*for another purpose and it is causing me some grief. Thank you, Jared -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [ossec-list] OSSEC Profiles clarification
My apologies, I thought that I had replied to this. This made sense and I appreciate the information. Jared On Monday, June 24, 2013 2:25:53 PM UTC-4, dan (ddpbsd) wrote: On Mon, Jun 24, 2013 at 1:15 PM, Jared jaredgr...@gmail.com javascript: wrote: Question: How are Profiles associated with clients / agents? Scenario: Agent ID = 001 = Web01 = IIS and MySQL = Windows Agent ID = 002 = Web02 = Apache/Tomcat and MySQL = CentOs I would like to have a profile for each server type so that I no longer see the following errors: 2013/06/24 10:08:52 ossec-agent(1952): INFO: Monitoring variable log file: 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. 2013/06/24 10:08:52 ossec-agent(1103): ERROR: Unable to open file 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. For Windows servers that do not have Tomcat for example? Based on the following from the web documentation from http://www.ossec.net/doc/syntax/head_agent_config.html?highlight=profile#profile: profile This option to agent_config allows you to assign a profile name to the the block. Any agent may use this block if it is configured to use the defined profile. Example: agent_config profile=”webservers” How do I tell Agent 002 that it should be associated with LinuxWebs agent_config profile=”LinuxWebs” How do I tell Agent 002 that it should be subordinate to WinWebs agent_config profile=”LinuxWebs” In the following config: agent_config profile=”LinuxWebs” localfile location/var/log/secure/location log_formatsyslog/log_format /localfile /agent_config Thanks for all of the posts and info? Very helpful list!! Jared In the agent's ossec.conf add a config-profile entry to the client section. Example: ossec_config client server-ip192.168.17.9/server-ip config-profileopenbsd-firewall,openbsd-test/config-profile /client /ossec_config The above agent is a member of the openbsd-firewall and openbsd-test profiles in agent.conf. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Re: Authd - IP = ANY
On your OSSEC server, in /var/ossec/etc/shared there will be a client.keys file You can gedit or vi that file and you will see in plaintext the Agent ID IPADDRESS(any) Agent Name and the encrypted hash. Just change the any for agent ID 1024 to the actual IP address. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[ossec-list] Ossec agent ossec.conf issue
I'm trying to set up ossec agents on windows server 03/08/12. Would anybody have an example custom ossec.conf agent file they could share? I know that newer windows servers do not have all the files that are originally listed in the default ossec.conf , so i was wondering what others have started to monitor in place of them. Checking my agent log, this is what I'm getting with the default agent ossec.conf : 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\boot.ini': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/CONFIG.NT': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/debug.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwatson.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/drwtsn32.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/edlin.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/eventtriggers.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rcp.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rexec.exe': No such file or directory 2013/07/03 13:01:23 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/rsh.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/telnet.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tftp.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows/System32/tlntsvr.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: WARN: Error opening directory: 'C:\Windows\System32\bcdedit.exe': No such file or directory 2013/07/03 13:01:25 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed). An example of what I'm trying to do would be : directories check_all=yesC:\Windows\System32\bcdedit.exe/directories boot.ini was replaced in windows vista+ with BCD so this would be something I'd like to check on. I tried to implement this into the conf file but I'm getting no luck getting it to work. Any suggestions are gladly taken. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
