[ossec-list] Re: /opt/ossec/etc/shared/ar.conf not being created on Solaris 9 agents

Fri, 28 May 2010 12:47:53 -0700 

Well,

I solved my own problem but am posting the results here in case it
help others.

The problem turned out not to be the OS but the processor.  In
particular, Ultra Sparc processors seemed to be at the root of it.
In ../src/Makeall is the following:

    82      elif [ "X$OS" = "XSunOS" ]; then
    83          # Set CPU optimization for Sun UltraSparc
    84          # by Eric Straavaldsen
    85          # Disabled by default. To enable it, just uncomment
the following
    86          # lines and comment the EEXTRA below.
    87          #PROC=`isainfo -n`
    88          #if [ $PROC = sparcv9 ]; then
    89          #    echo "EEXTRA=-lsocket -lnsl -lresolv -DSOLARIS -
DHIGHFIRST -O3 -mcpu=ultrasparc">>Config.OS
    90          #fi
    91          echo "EEXTRA=-DSOLARIS -DHIGHFIRST">>Config.OS
    92          echo "IEXTRA=-lsocket -lnsl -lresolv" >> Config.OS

I followed the instructions, recompiled and voila!  Active response is
now working.

Cheers!
Trevor


On May 20, 2:57 pm, tm <[email protected]> wrote:
> Hello,
>
> When the OSSEC agent on our Solaris 9 agents starts up, it establishes
> a connection with the OSSEC server but the /opt/ossec/etc/shared/
> ar.conf file is not being created.  Consequently, if the OSSEC server
> tells the OSSEC agent to activate a particular active response a
> message appears like the following in the ossec.conf file on the
> agent:
>
> 2010/05/20 14:09:40 ossec-execd(1103): ERROR: Unable to open file '/
> opt/ossec/2.4/etc/shared/ar.conf'.
> 2010/05/20 14:09:40 ossec-execd(1311): ERROR: Invalid command name
> 'restart-ossec0' provided.
>
> I used the "agent_control -R id" command on the OSSEC server to cause
> the message above.  Similar messages are generated for other active
> responses.
>
> The agent is sending events to the server because I can see them in
> the logs on the server.  There are no error messages in ossec.conf on
> the agent when it starts up.
>
> Our OSSEC agents on Solaris 10 hosts do not exhibit this behaviour.
>
> Also, the /opt/ossec/etc/shared/merged.mg file is not being created
> either.
>
> The permissions on the /opt/ossec/etc/shared directory look fine.
>
> Does anyone have any ideas as to what might be causing this problem?
> Is there anyway to turn on some sort of debugging on the agent that
> might provide some clues?
>
> Trevor

Reply via email to