Hello, When the OSSEC agent on our Solaris 9 agents starts up, it establishes a connection with the OSSEC server but the /opt/ossec/etc/shared/ ar.conf file is not being created. Consequently, if the OSSEC server tells the OSSEC agent to activate a particular active response a message appears like the following in the ossec.conf file on the agent:
2010/05/20 14:09:40 ossec-execd(1103): ERROR: Unable to open file '/ opt/ossec/2.4/etc/shared/ar.conf'. 2010/05/20 14:09:40 ossec-execd(1311): ERROR: Invalid command name 'restart-ossec0' provided. I used the "agent_control -R id" command on the OSSEC server to cause the message above. Similar messages are generated for other active responses. The agent is sending events to the server because I can see them in the logs on the server. There are no error messages in ossec.conf on the agent when it starts up. Our OSSEC agents on Solaris 10 hosts do not exhibit this behaviour. Also, the /opt/ossec/etc/shared/merged.mg file is not being created either. The permissions on the /opt/ossec/etc/shared directory look fine. Does anyone have any ideas as to what might be causing this problem? Is there anyway to turn on some sort of debugging on the agent that might provide some clues? Trevor
