/var/ossec/etc/ossec.conf is the main config file. /var/ossec/etc/shared/agent.conf is the centalized config file. Together they form the system's configuration. If you have entries duplicated between those 2 files, you will probably get these errors.
Sent from my Nokia phone -----Original Message----- From: John Paulson Sent: 06/21/2010 7:22:24 PM Subject: [ossec-list] Re: Duplicated directory warning in ossec.log after mistake in configuring Centralized agents. Hi Dan, thanks. I did pull the miss-spelled ossec.conf file out of the shared directory and restart the agent from the server but I'm still seeing those errors. There is an ossec.conf file above the shared directory in etc, but I'm assuming that's not the problem as we have a test environment where the only difference seems to be my initial blunder with the file name. I was thinking that these rules get compiled somewhere to speed things up???:) maybe I don't know. thanks though On Jun 21, 2:35 pm, "dan (ddp)" <[email protected]> wrote: > Are these entries in both the ossec.conf on the agents producing the > errors, and in the agent.conf? > If so, that's where this error is coming from. Put the entries in one > or the other. > > On Mon, Jun 21, 2010 at 2:10 PM, John Paulson <[email protected]> wrote: > > While creating the agent.conf in /var/ossec/etc/shared for centralized > > agent control. I made a mistake and a called the file ossec.conf. > > After restarting ossec on the server and seeing that the agents were > > not picking up the configuration, I noticed my mistake and changed the > > name of the file from ossec.conf to agent.conf. The agents are now > > being managed from the server and everything seems well, except that I > > am seeing the following warning messages in the logs: > > > 2010/06/21 12:13:16 ossec-config(1756): ERROR: Duplicated directory > > given: '/etc'. > > 2010/06/21 12:13:16 ossec-config(1756): ERROR: Duplicated directory > > given: '/bin' > > and > > 2010/06/21 12:16:14 ossec-logcollector: WARN: Duplicated log file > > given: '/var/log/messages'. > > 2010/06/21 12:16:14 ossec-logcollector: WARN: Duplicated log file > > given: '/var/log/secure'. > > 2010/06/21 12:16:14 ossec-logcollector: WARN: Duplicated log file > > given: '/var/log/maillog'. > > 2010/06/21 12:16:14 ossec-logcollector: WARN: Duplicated log file > > given: '/var/log/httpd/error_log'. > > 2010/06/21 12:16:14 ossec-logcollector: WARN: Duplicated log file > > given: '/var/log/httpd/access_log' > > > I read a post about clearing the rids directory after duplicate > > entries from a client restore, but wasn't sure if this applied here. > > Any help would be greatly appreciated. > > Thanks, > > John
