Hello Daniel,
My file ossec-init.conf:
[EMAIL PROTECTED]:~# cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="0.9-SNP-060913"
DATE="Thu Sep 14 13:45:59 BRT 2006"
TYPE="server"
[EMAIL PROTECTED]:~#
Related to ar.conf permission, now it's ok, I just do a:
# chown root.ossec /var/ossec/etc/shared/ar.conf
Very thanks,
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
Amauri Tiago Marx
Coordenadoria de Tecnologia da Informação e Comunicação, Ctic
Universidade do Oeste de Santa Catarina, Unoesc
Campus de São Miguel do Oeste
www.unoescsmo.edu.br
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
----- Original Message -----
From: "Daniel Cid" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, September 15, 2006 11:36 AM
Subject: [ossec-list] Re: Other problems
Can you show me your /etc/ossec-init.conf file? To fix the permission,
just do a:
# chgrp ossec /var/ossec/etc/shared/ar.conf
*btw, Are you using the snapshot? I tought I have fixed this permission
issue...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/15/06, Administrador Rede <[EMAIL PROTECTED]> wrote:
Hi Daniel,
Ok, I'll fix my iptables rules. Sorry, but I don't know use netcat for
test
communication. How can I make this?
About ar.conf permissions:
dr-xr-x--- 2 root ossec 4.0K 2006-09-14 14:31 shared/
-r--r----- 1 root root 76 2006-09-14 16:20 ar.conf
The correct is root.ossec? If yes, need to correct the process that create
it, because if I delete this file, is create automatically with the
permission show above.
Very thanks again,
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
Amauri Tiago Marx
Coordenadoria de Tecnologia da Informação e Comunicação, Ctic
Universidade do Oeste de Santa Catarina, Unoesc
Campus de São Miguel do Oeste
www.unoescsmo.edu.br
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
----- Original Message -----
From: "Daniel Cid" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, September 14, 2006 10:20 PM
Subject: [ossec-list] Re: Other problems
>
> Hi Amauri,
>
> First off, for your iptables rule, do not open it for everyone. Just
> for the specific
> IPs that you need. Second, make sure that the agent firewall allows
> outbound
> traffic to port 1514 and them to come back. To test it, just run a
> netcat from the
> agent to the server on port 1514 and see if it can get to it (you should
> see on
> the server a message about unable to decrypt or invalid format)..
>
> Now, for your second problem, since ossec runs on chroot, when it says
> "/etc/shared/ar.conf", it is actually looking at
> /var/ossec/etc/shared.ar.conf...
> Can you show us the permissions of /var/ossec/etc and
> /var/ossec/etc/shared ?
> Looks like remoted does not have permission to access it...
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>> 2006/09/14 15:54:58 ossec-remoted: Error accessing file
>> '/etc/shared/ar.conf'
>
> On 9/14/06, Amauri Tiago Marx <[EMAIL PROTECTED]> wrote:
>>
>>
>> Hi Daniel,
>>
>> Yes, I install the latest snapshot in the server before the agents.
>> In the server ossec, I have this rule on firewall:
>> iptables -A INPUT -p udp --dport 1514 --sport 1024:65535 -j ACCEPT
>> Need anymore?
>>
>> For the problem related to ar.conf, i'm confused. See errors logs:
>> 2006/09/14 14:53:30 ossec-syscheckd: Started (pid: 24459).
>> 2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/ar'
>> (active-response queue)
>> 2006/09/14 14:53:30 ossec-analysisd: Connected to '/queue/alerts/execq'
>> (exec queue)
>> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
>> '/var/log/messages'.
>> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
>> '/var/log/secure'.
>> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
>> '/var/log/syslog'.
>> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
>> '/var/log/maillog'.
>> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
>> '/usr/local/squid/var/logs/access.log'.
>> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
>> '/var/log/apache/error_log'.
>> 2006/09/14 14:53:33 ossec-logcollector(1950): Analyzing file:
>> '/var/log/apache/access_log'.
>> 2006/09/14 14:53:33 ossec-logcollector: Started (pid: 24445).
>> 2006/09/14 15:54:58 ossec-remoted: Error accessing file
>> '/etc/shared/ar.conf'
>>
>> I think that have the same problems that's my last question.. the file
>> /etc/shared/ar.conf doesn't exists, only exists
>> /var/ossec/etc/shared/ar.conf (this file is created automatically when
>> I
>> start the ossec server).
>>
>> Very thanks, best regards,
>>
>>
>> Amauri Tiago Marx
