I've installed a master and an agent, both seem to be working fine. I
decided to then expand the complexity of the system to emulate what
I'm really looking for: centrally-managed agent configs. I thought
this would be easy, but after googling around, it sounds like there
are bumps.
Symptom: the agent is talking to the master, but it's never picking up
the agent.conf file.
Here's what I see from the master:
[r...@sectest100 shared]# /var/ossec/bin/agent_control -i 001
OSSEC HIDS agent_control. Agent information:
Agent ID: 001
Agent Name: sectest200
IP address: 10.196.2.89
Status: Active
Operating system: Linux sectest200 2.6.18-128.el5 #1 SMP Wed Dec
17 11..
Client version: OSSEC HIDS v2.4.1
Last keep alive: Tue Aug 10 19:14:44 2010
Syscheck last started at: Tue Aug 10 19:03:10 2010
Rootcheck last started at: Tue Aug 10 19:13:12 2010
And here's the agent starting up:
2010/08/10 18:57:18 ossec-agentd(1410): INFO: Reading authentication
keys file.
2010/08/10 18:57:18 ossec-agentd: INFO: Assigning counter for agent
sectest200: '0:129'.
2010/08/10 18:57:18 ossec-agentd: INFO: Assigning sender counter:
2:7362
2010/08/10 18:57:18 ossec-agentd: INFO: Started (pid: 11984).
2010/08/10 18:57:18 ossec-agentd: INFO: Server IP Address: 10.192.2.89
2010/08/10 18:57:18 ossec-agentd: INFO: Trying to connect to server
(10.192.2.89:1514).
2010/08/10 18:57:19 ossec-agentd(4102): INFO: Connected to the server
(10.192.2.89:1514).
2010/08/10 18:57:22 ossec-syscheckd: INFO: Started (pid: 11992).
2010/08/10 18:57:22 ossec-rootcheck: INFO: Started (pid: 11992).
2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/
etc'.
2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/usr/
bin'.
2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/usr/
sbin'.
2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/
bin'.
2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/
sbin'.
2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/messages'.
2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/secure'.
2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/
var/log/maillog'.
2010/08/10 18:57:24 ossec-logcollector: INFO: Started (pid: 11988).
2010/08/10 18:57:54 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2010/08/10 19:01:10 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2010/08/10 19:03:10 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2010/08/10 19:12:52 ossec-syscheckd: INFO: Ending syscheck scan
(forwarding database).
2010/08/10 19:13:12 ossec-rootcheck: INFO: Starting rootcheck scan.
2010/08/10 19:15:56 ossec-rootcheck: INFO: Ending rootcheck scan.
Here's the /var/ossec/etc/shared/agent.conf (I'm trying to start
simple):
<agent_config>
<syscheck>
<!-- Frequency that syscheck is executed -->
<frequency>21600</frequency>
<!-- Directories to check (perform all possible verifications) --
>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
</agent_config>
As you can tell from the agent logs, it's using the standard
ossec.conf file. The agent doesn't have the agent.conf file, and the
status from the master indicates that it isn't using one either.
I've restarted both the master and the agent a few times. No joy.
I feel like I'm overlooking something simple here, but can't figure it
out.
Any hints?
bill
