Re: [ossec-list] Central ossec.conf management question
Hi ehollis3942, Do you have salt enabled? If so, could it be replicating a blank agent.conf from your Security Onion master server to your Security Onion sensor? On Wed, Feb 1, 2017 at 1:19 PM,wrote: > Our OSSEC server is running the newest version of Security Onion which has > it built in > > On Wednesday, February 1, 2017 at 1:15:16 PM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Feb 1, 2017 at 1:12 PM, wrote: >> > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having >> > content back to being blank a number of times here without having any >> > interaction on the server. Has anyone else experienced this? >> > >> >> Did you install OSSEC from source, or from a package? >> >> > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Wed, Feb 1, 2017 at 12:25 PM, wrote: >> >> > Hello All, >> >> > >> >> > I am currently working on a central ossec.conf file which contains >> >> > our >> >> > Windows and Linux configurations for all clients. Here are a few >> >> > background >> >> > details: >> >> > >> >> > 1. We currently only have a few Linux deployments and roughly 6 >> >> > Windows >> >> > deployments as a POC >> >> > 2. All clients have a custom config, specific to Windows or Linux >> >> > >> >> > Now, I'd like to manage clients going forward with a central config >> >> > file >> >> > using agent.conf within /var/ossec/etc/shared. I've followed these >> >> > steps: >> >> > >> >> > 1.Created an agent.conf file, and ran verify-agent-conf without any >> >> > issues. >> >> > 2. Ran MD5SUM against the agent.conf and noted hash >> >> > 3. Ran agent-control -R against a few clients >> >> > 4. Ran agent-control -i and verified that the MD5 changed to >> >> > match >> >> > the >> >> > agent.conf hash >> >> > 5. I review the agent.conf file on a Windows client that had updated >> >> > and >> >> > it >> >> > is blank >> >> > 6. I review the merged.mg file on the same client and I do see within >> >> > the >> >> > file that the custom agent.conf from the server is present >> >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that >> >> > it >> >> > is >> >> > completely blank with a different MD5 >> >> > >> >> > Can anyone explain why the agent.conf on the server would have the >> >> > content >> >> > removed? My guess is that if the client doesn't have this info in the >> >> > agent.conf that it is only reading their local ossec.conf file? >> >> > >> >> > As a side note, do I need to re-deploy a new ossec.conf to clients >> >> > out >> >> > there >> >> > with only the server IP configuration or will OSSEC merge the config >> >> > with >> >> > the agent.conf on the server? >> >> > >> >> >> >> There shouldn't be anything in ossec that will blank the agent.conf on >> >> the server. >> >> If there is no agent.conf, the agent will use the ossec.conf. >> >> The running configuration merges the ossec.conf and agent.conf. >> >> >> >> > Thanks all for the help! >> >> > >> >> > Eric >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Doug Burks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Central ossec.conf management question
Our OSSEC server is running the newest version of Security Onion which has it built in On Wednesday, February 1, 2017 at 1:15:16 PM UTC-5, dan (ddpbsd) wrote: > > On Wed, Feb 1, 2017 at 1:12 PM,> wrote: > > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having > > content back to being blank a number of times here without having any > > interaction on the server. Has anyone else experienced this? > > > > Did you install OSSEC from source, or from a package? > > > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Wed, Feb 1, 2017 at 12:25 PM, wrote: > >> > Hello All, > >> > > >> > I am currently working on a central ossec.conf file which contains > our > >> > Windows and Linux configurations for all clients. Here are a few > >> > background > >> > details: > >> > > >> > 1. We currently only have a few Linux deployments and roughly 6 > Windows > >> > deployments as a POC > >> > 2. All clients have a custom config, specific to Windows or Linux > >> > > >> > Now, I'd like to manage clients going forward with a central config > file > >> > using agent.conf within /var/ossec/etc/shared. I've followed these > >> > steps: > >> > > >> > 1.Created an agent.conf file, and ran verify-agent-conf without any > >> > issues. > >> > 2. Ran MD5SUM against the agent.conf and noted hash > >> > 3. Ran agent-control -R against a few clients > >> > 4. Ran agent-control -i and verified that the MD5 changed to > match > >> > the > >> > agent.conf hash > >> > 5. I review the agent.conf file on a Windows client that had updated > and > >> > it > >> > is blank > >> > 6. I review the merged.mg file on the same client and I do see > within > >> > the > >> > file that the custom agent.conf from the server is present > >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that > it > >> > is > >> > completely blank with a different MD5 > >> > > >> > Can anyone explain why the agent.conf on the server would have the > >> > content > >> > removed? My guess is that if the client doesn't have this info in the > >> > agent.conf that it is only reading their local ossec.conf file? > >> > > >> > As a side note, do I need to re-deploy a new ossec.conf to clients > out > >> > there > >> > with only the server IP configuration or will OSSEC merge the config > >> > with > >> > the agent.conf on the server? > >> > > >> > >> There shouldn't be anything in ossec that will blank the agent.conf on > >> the server. > >> If there is no agent.conf, the agent will use the ossec.conf. > >> The running configuration merges the ossec.conf and agent.conf. > >> > >> > Thanks all for the help! > >> > > >> > Eric > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Central ossec.conf management question
On Wed, Feb 1, 2017 at 1:12 PM,wrote: > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having > content back to being blank a number of times here without having any > interaction on the server. Has anyone else experienced this? > Did you install OSSEC from source, or from a package? > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Feb 1, 2017 at 12:25 PM, wrote: >> > Hello All, >> > >> > I am currently working on a central ossec.conf file which contains our >> > Windows and Linux configurations for all clients. Here are a few >> > background >> > details: >> > >> > 1. We currently only have a few Linux deployments and roughly 6 Windows >> > deployments as a POC >> > 2. All clients have a custom config, specific to Windows or Linux >> > >> > Now, I'd like to manage clients going forward with a central config file >> > using agent.conf within /var/ossec/etc/shared. I've followed these >> > steps: >> > >> > 1.Created an agent.conf file, and ran verify-agent-conf without any >> > issues. >> > 2. Ran MD5SUM against the agent.conf and noted hash >> > 3. Ran agent-control -R against a few clients >> > 4. Ran agent-control -i and verified that the MD5 changed to match >> > the >> > agent.conf hash >> > 5. I review the agent.conf file on a Windows client that had updated and >> > it >> > is blank >> > 6. I review the merged.mg file on the same client and I do see within >> > the >> > file that the custom agent.conf from the server is present >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it >> > is >> > completely blank with a different MD5 >> > >> > Can anyone explain why the agent.conf on the server would have the >> > content >> > removed? My guess is that if the client doesn't have this info in the >> > agent.conf that it is only reading their local ossec.conf file? >> > >> > As a side note, do I need to re-deploy a new ossec.conf to clients out >> > there >> > with only the server IP configuration or will OSSEC merge the config >> > with >> > the agent.conf on the server? >> > >> >> There shouldn't be anything in ossec that will blank the agent.conf on >> the server. >> If there is no agent.conf, the agent will use the ossec.conf. >> The running configuration merges the ossec.conf and agent.conf. >> >> > Thanks all for the help! >> > >> > Eric >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Central ossec.conf management question
Just a note, I have had /var/ossec/etc/shared/agent.conf go from having content back to being blank a number of times here without having any interaction on the server. Has anyone else experienced this? On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: > > On Wed, Feb 1, 2017 at 12:25 PM,> wrote: > > Hello All, > > > > I am currently working on a central ossec.conf file which contains our > > Windows and Linux configurations for all clients. Here are a few > background > > details: > > > > 1. We currently only have a few Linux deployments and roughly 6 Windows > > deployments as a POC > > 2. All clients have a custom config, specific to Windows or Linux > > > > Now, I'd like to manage clients going forward with a central config file > > using agent.conf within /var/ossec/etc/shared. I've followed these > steps: > > > > 1.Created an agent.conf file, and ran verify-agent-conf without any > issues. > > 2. Ran MD5SUM against the agent.conf and noted hash > > 3. Ran agent-control -R against a few clients > > 4. Ran agent-control -i and verified that the MD5 changed to match > the > > agent.conf hash > > 5. I review the agent.conf file on a Windows client that had updated and > it > > is blank > > 6. I review the merged.mg file on the same client and I do see within > the > > file that the custom agent.conf from the server is present > > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it > is > > completely blank with a different MD5 > > > > Can anyone explain why the agent.conf on the server would have the > content > > removed? My guess is that if the client doesn't have this info in the > > agent.conf that it is only reading their local ossec.conf file? > > > > As a side note, do I need to re-deploy a new ossec.conf to clients out > there > > with only the server IP configuration or will OSSEC merge the config > with > > the agent.conf on the server? > > > > There shouldn't be anything in ossec that will blank the agent.conf on > the server. > If there is no agent.conf, the agent will use the ossec.conf. > The running configuration merges the ossec.conf and agent.conf. > > > Thanks all for the help! > > > > Eric > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Central ossec.conf management question
On Wed, Feb 1, 2017 at 12:25 PM,wrote: > Hello All, > > I am currently working on a central ossec.conf file which contains our > Windows and Linux configurations for all clients. Here are a few background > details: > > 1. We currently only have a few Linux deployments and roughly 6 Windows > deployments as a POC > 2. All clients have a custom config, specific to Windows or Linux > > Now, I'd like to manage clients going forward with a central config file > using agent.conf within /var/ossec/etc/shared. I've followed these steps: > > 1.Created an agent.conf file, and ran verify-agent-conf without any issues. > 2. Ran MD5SUM against the agent.conf and noted hash > 3. Ran agent-control -R against a few clients > 4. Ran agent-control -i and verified that the MD5 changed to match the > agent.conf hash > 5. I review the agent.conf file on a Windows client that had updated and it > is blank > 6. I review the merged.mg file on the same client and I do see within the > file that the custom agent.conf from the server is present > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it is > completely blank with a different MD5 > > Can anyone explain why the agent.conf on the server would have the content > removed? My guess is that if the client doesn't have this info in the > agent.conf that it is only reading their local ossec.conf file? > > As a side note, do I need to re-deploy a new ossec.conf to clients out there > with only the server IP configuration or will OSSEC merge the config with > the agent.conf on the server? > There shouldn't be anything in ossec that will blank the agent.conf on the server. If there is no agent.conf, the agent will use the ossec.conf. The running configuration merges the ossec.conf and agent.conf. > Thanks all for the help! > > Eric > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Central ossec.conf management question
Hello All, I am currently working on a central ossec.conf file which contains our Windows and Linux configurations for all clients. Here are a few background details: 1. We currently only have a few Linux deployments and roughly 6 Windows deployments as a POC 2. All clients have a custom config, specific to Windows or Linux Now, I'd like to manage clients going forward with a central config file using agent.conf within /var/ossec/etc/shared. I've followed these steps: 1.Created an agent.conf file, and ran verify-agent-conf without any issues. 2. Ran MD5SUM against the agent.conf and noted hash 3. Ran agent-control -R against a few clients 4. Ran agent-control -i and verified that the MD5 changed to match the agent.conf hash 5. I review the agent.conf file on a Windows client that had updated and it is blank 6. I review the merged.mg file on the same client and I do see within the file that the custom agent.conf from the server is present 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it is completely blank with a different MD5 Can anyone explain why the agent.conf on the server would have the content removed? My guess is that if the client doesn't have this info in the agent.conf that it is only reading their local ossec.conf file? As a side note, do I need to re-deploy a new ossec.conf to clients out there with only the server IP configuration or will OSSEC merge the config with the agent.conf on the server? Thanks all for the help! Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.