subject:"\[ossec\-list\] Central ossec.conf management question"

Re: [ossec-list] Central ossec.conf management question

2017-02-05 Thread Doug Burks

Hi ehollis3942,

Do you have salt enabled?  If so, could it be replicating a blank
agent.conf from your Security Onion master server to your Security
Onion sensor?

On Wed, Feb 1, 2017 at 1:19 PM,   wrote:
> Our OSSEC server is running the newest version of Security Onion which has
> it built in
>
> On Wednesday, February 1, 2017 at 1:15:16 PM UTC-5, dan (ddpbsd) wrote:
>>
>> On Wed, Feb 1, 2017 at 1:12 PM,   wrote:
>> > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having
>> > content back to being blank a number of times here without having any
>> > interaction on the server. Has anyone else experienced this?
>> >
>>
>> Did you install OSSEC from source, or from a package?
>>
>> > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote:
>> >>
>> >> On Wed, Feb 1, 2017 at 12:25 PM,   wrote:
>> >> > Hello All,
>> >> >
>> >> > I am currently working on a central ossec.conf file which contains
>> >> > our
>> >> > Windows and Linux configurations for all clients. Here are a few
>> >> > background
>> >> > details:
>> >> >
>> >> > 1. We currently only have a few Linux deployments and roughly 6
>> >> > Windows
>> >> > deployments as a POC
>> >> > 2. All clients have a custom config, specific to Windows or Linux
>> >> >
>> >> > Now, I'd like to manage clients going forward with a central config
>> >> > file
>> >> > using agent.conf within /var/ossec/etc/shared. I've followed these
>> >> > steps:
>> >> >
>> >> > 1.Created an agent.conf file, and ran verify-agent-conf without any
>> >> > issues.
>> >> > 2. Ran MD5SUM against the agent.conf and noted hash
>> >> > 3. Ran agent-control -R  against a few clients
>> >> > 4. Ran agent-control -i  and verified that the MD5 changed to
>> >> > match
>> >> > the
>> >> > agent.conf hash
>> >> > 5. I review the agent.conf file on a Windows client that had updated
>> >> > and
>> >> > it
>> >> > is blank
>> >> > 6. I review the merged.mg file on the same client and I do see within
>> >> > the
>> >> > file that the custom agent.conf from the server is present
>> >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that
>> >> > it
>> >> > is
>> >> > completely blank with a different MD5
>> >> >
>> >> > Can anyone explain why the agent.conf on the server would have the
>> >> > content
>> >> > removed? My guess is that if the client doesn't have this info in the
>> >> > agent.conf that it is only reading their local ossec.conf file?
>> >> >
>> >> > As a side note, do I need to re-deploy a new ossec.conf to clients
>> >> > out
>> >> > there
>> >> > with only the server IP configuration or will OSSEC merge the config
>> >> > with
>> >> > the agent.conf on the server?
>> >> >
>> >>
>> >> There shouldn't be anything in ossec that will blank the agent.conf on
>> >> the server.
>> >> If there is no agent.conf, the agent will use the ossec.conf.
>> >> The running configuration merges the ossec.conf and agent.conf.
>> >>
>> >> > Thanks all for the help!
>> >> >
>> >> > Eric
>> >> >
>> >> > --
>> >> >
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups
>> >> > "ossec-list" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send
>> >> > an
>> >> > email to ossec-list+...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



-- 
Doug Burks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Central ossec.conf management question

2017-02-01 Thread ehollis3942

Our OSSEC server is running the newest version of Security Onion which has 
it built in

On Wednesday, February 1, 2017 at 1:15:16 PM UTC-5, dan (ddpbsd) wrote:
>
> On Wed, Feb 1, 2017 at 1:12 PM,   
> wrote: 
> > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having 
> > content back to being blank a number of times here without having any 
> > interaction on the server. Has anyone else experienced this? 
> > 
>
> Did you install OSSEC from source, or from a package? 
>
> > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: 
> >> 
> >> On Wed, Feb 1, 2017 at 12:25 PM,   wrote: 
> >> > Hello All, 
> >> > 
> >> > I am currently working on a central ossec.conf file which contains 
> our 
> >> > Windows and Linux configurations for all clients. Here are a few 
> >> > background 
> >> > details: 
> >> > 
> >> > 1. We currently only have a few Linux deployments and roughly 6 
> Windows 
> >> > deployments as a POC 
> >> > 2. All clients have a custom config, specific to Windows or Linux 
> >> > 
> >> > Now, I'd like to manage clients going forward with a central config 
> file 
> >> > using agent.conf within /var/ossec/etc/shared. I've followed these 
> >> > steps: 
> >> > 
> >> > 1.Created an agent.conf file, and ran verify-agent-conf without any 
> >> > issues. 
> >> > 2. Ran MD5SUM against the agent.conf and noted hash 
> >> > 3. Ran agent-control -R  against a few clients 
> >> > 4. Ran agent-control -i  and verified that the MD5 changed to 
> match 
> >> > the 
> >> > agent.conf hash 
> >> > 5. I review the agent.conf file on a Windows client that had updated 
> and 
> >> > it 
> >> > is blank 
> >> > 6. I review the merged.mg file on the same client and I do see 
> within 
> >> > the 
> >> > file that the custom agent.conf from the server is present 
> >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that 
> it 
> >> > is 
> >> > completely blank with a different MD5 
> >> > 
> >> > Can anyone explain why the agent.conf on the server would have the 
> >> > content 
> >> > removed? My guess is that if the client doesn't have this info in the 
> >> > agent.conf that it is only reading their local ossec.conf file? 
> >> > 
> >> > As a side note, do I need to re-deploy a new ossec.conf to clients 
> out 
> >> > there 
> >> > with only the server IP configuration or will OSSEC merge the config 
> >> > with 
> >> > the agent.conf on the server? 
> >> > 
> >> 
> >> There shouldn't be anything in ossec that will blank the agent.conf on 
> >> the server. 
> >> If there is no agent.conf, the agent will use the ossec.conf. 
> >> The running configuration merges the ossec.conf and agent.conf. 
> >> 
> >> > Thanks all for the help! 
> >> > 
> >> > Eric 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Central ossec.conf management question

2017-02-01 Thread dan (ddp)

On Wed, Feb 1, 2017 at 1:12 PM,   wrote:
> Just a note, I have had /var/ossec/etc/shared/agent.conf go from having
> content back to being blank a number of times here without having any
> interaction on the server. Has anyone else experienced this?
>

Did you install OSSEC from source, or from a package?

> On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote:
>>
>> On Wed, Feb 1, 2017 at 12:25 PM,   wrote:
>> > Hello All,
>> >
>> > I am currently working on a central ossec.conf file which contains our
>> > Windows and Linux configurations for all clients. Here are a few
>> > background
>> > details:
>> >
>> > 1. We currently only have a few Linux deployments and roughly 6 Windows
>> > deployments as a POC
>> > 2. All clients have a custom config, specific to Windows or Linux
>> >
>> > Now, I'd like to manage clients going forward with a central config file
>> > using agent.conf within /var/ossec/etc/shared. I've followed these
>> > steps:
>> >
>> > 1.Created an agent.conf file, and ran verify-agent-conf without any
>> > issues.
>> > 2. Ran MD5SUM against the agent.conf and noted hash
>> > 3. Ran agent-control -R  against a few clients
>> > 4. Ran agent-control -i  and verified that the MD5 changed to match
>> > the
>> > agent.conf hash
>> > 5. I review the agent.conf file on a Windows client that had updated and
>> > it
>> > is blank
>> > 6. I review the merged.mg file on the same client and I do see within
>> > the
>> > file that the custom agent.conf from the server is present
>> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it
>> > is
>> > completely blank with a different MD5
>> >
>> > Can anyone explain why the agent.conf on the server would have the
>> > content
>> > removed? My guess is that if the client doesn't have this info in the
>> > agent.conf that it is only reading their local ossec.conf file?
>> >
>> > As a side note, do I need to re-deploy a new ossec.conf to clients out
>> > there
>> > with only the server IP configuration or will OSSEC merge the config
>> > with
>> > the agent.conf on the server?
>> >
>>
>> There shouldn't be anything in ossec that will blank the agent.conf on
>> the server.
>> If there is no agent.conf, the agent will use the ossec.conf.
>> The running configuration merges the ossec.conf and agent.conf.
>>
>> > Thanks all for the help!
>> >
>> > Eric
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Central ossec.conf management question

2017-02-01 Thread ehollis3942

Just a note, I have had /var/ossec/etc/shared/agent.conf go from having 
content back to being blank a number of times here without having any 
interaction on the server. Has anyone else experienced this?

On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote:
>
> On Wed, Feb 1, 2017 at 12:25 PM,   
> wrote: 
> > Hello All, 
> > 
> > I am currently working on a central ossec.conf file which contains our 
> > Windows and Linux configurations for all clients. Here are a few 
> background 
> > details: 
> > 
> > 1. We currently only have a few Linux deployments and roughly 6 Windows 
> > deployments as a POC 
> > 2. All clients have a custom config, specific to Windows or Linux 
> > 
> > Now, I'd like to manage clients going forward with a central config file 
> > using agent.conf within /var/ossec/etc/shared. I've followed these 
> steps: 
> > 
> > 1.Created an agent.conf file, and ran verify-agent-conf without any 
> issues. 
> > 2. Ran MD5SUM against the agent.conf and noted hash 
> > 3. Ran agent-control -R  against a few clients 
> > 4. Ran agent-control -i  and verified that the MD5 changed to match 
> the 
> > agent.conf hash 
> > 5. I review the agent.conf file on a Windows client that had updated and 
> it 
> > is blank 
> > 6. I review the merged.mg file on the same client and I do see within 
> the 
> > file that the custom agent.conf from the server is present 
> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it 
> is 
> > completely blank with a different MD5 
> > 
> > Can anyone explain why the agent.conf on the server would have the 
> content 
> > removed? My guess is that if the client doesn't have this info in the 
> > agent.conf that it is only reading their local ossec.conf file? 
> > 
> > As a side note, do I need to re-deploy a new ossec.conf to clients out 
> there 
> > with only the server IP configuration or will OSSEC merge the config 
> with 
> > the agent.conf on the server? 
> > 
>
> There shouldn't be anything in ossec that will blank the agent.conf on 
> the server. 
> If there is no agent.conf, the agent will use the ossec.conf. 
> The running configuration merges the ossec.conf and agent.conf. 
>
> > Thanks all for the help! 
> > 
> > Eric 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Central ossec.conf management question

2017-02-01 Thread dan (ddp)

On Wed, Feb 1, 2017 at 12:25 PM,   wrote:
> Hello All,
>
> I am currently working on a central ossec.conf file which contains our
> Windows and Linux configurations for all clients. Here are a few background
> details:
>
> 1. We currently only have a few Linux deployments and roughly 6 Windows
> deployments as a POC
> 2. All clients have a custom config, specific to Windows or Linux
>
> Now, I'd like to manage clients going forward with a central config file
> using agent.conf within /var/ossec/etc/shared. I've followed these steps:
>
> 1.Created an agent.conf file, and ran verify-agent-conf without any issues.
> 2. Ran MD5SUM against the agent.conf and noted hash
> 3. Ran agent-control -R  against a few clients
> 4. Ran agent-control -i  and verified that the MD5 changed to match the
> agent.conf hash
> 5. I review the agent.conf file on a Windows client that had updated and it
> is blank
> 6. I review the merged.mg file on the same client and I do see within the
> file that the custom agent.conf from the server is present
> 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it is
> completely blank with a different MD5
>
> Can anyone explain why the agent.conf on the server would have the content
> removed? My guess is that if the client doesn't have this info in the
> agent.conf that it is only reading their local ossec.conf file?
>
> As a side note, do I need to re-deploy a new ossec.conf to clients out there
> with only the server IP configuration or will OSSEC merge the config with
> the agent.conf on the server?
>

There shouldn't be anything in ossec that will blank the agent.conf on
the server.
If there is no agent.conf, the agent will use the ossec.conf.
The running configuration merges the ossec.conf and agent.conf.

> Thanks all for the help!
>
> Eric
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Central ossec.conf management question

2017-02-01 Thread ehollis3942

Hello All,

I am currently working on a central ossec.conf file which contains our 
Windows and Linux configurations for all clients. Here are a few background 
details:

1. We currently only have a few Linux deployments and roughly 6 Windows 
deployments as a POC
2. All clients have a custom config, specific to Windows or Linux

Now, I'd like to manage clients going forward with a central config file 
using agent.conf within /var/ossec/etc/shared. I've followed these steps:

1.Created an agent.conf file, and ran verify-agent-conf without any issues. 
2. Ran MD5SUM against the agent.conf and noted hash
3. Ran agent-control -R  against a few clients
4. Ran agent-control -i  and verified that the MD5 changed to match the 
agent.conf hash
5. I review the agent.conf file on a Windows client that had updated and it 
is blank
6. I review the merged.mg file on the same client and I do see within the 
file that the custom agent.conf from the server is present 
7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it is 
completely blank with a different MD5

Can anyone explain why the agent.conf on the server would have the content 
removed? My guess is that if the client doesn't have this info in the 
agent.conf that it is only reading their local ossec.conf file?

As a side note, do I need to re-deploy a new ossec.conf to clients out 
there with only the server IP configuration or will OSSEC merge the config 
with the agent.conf on the server?

Thanks all for the help!

Eric 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Central ossec.conf management question

Re: [ossec-list] Central ossec.conf management question

Re: [ossec-list] Central ossec.conf management question

Re: [ossec-list] Central ossec.conf management question

Re: [ossec-list] Central ossec.conf management question

[ossec-list] Central ossec.conf management question

6 matches

Site Navigation

Mail list logo

Footer information