[ossec-list] Problems getting centralized agent configs to work

Thu, 12 Aug 2010 08:06:56 -0700 

Sorry if this is a repeat, but I haven't seen my message appear in the
group after a day...trying again.

I have a working master-agent setup, and am now trying to do remotely-
managed agents so that I can simplify and centralize the configs. I
can't seem to get the agent to "take" the agent.conf, no matter what I
try it always seems to use its own locally-stored config. I've
restared both the server and agent, and also tried restarting the
agent via the agent_control too. No joy.

 It's my understanding from the docs that I'll see an md5sum of the
agent.conf appearing in the version string. I'm not seeing that, I
still see "2.4.1". Furthermore, I don't see an agent.conf appear on
the remote agent filesystem, and when I add new directories to scan
within the agent.conf, those are not done on the agent.

[r...@sectest100 bin]# ./agent_control -l

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: sectest100 (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: sectest200, IP: 10.196.2.89, Active

[r...@sectest100 bin]# ./agent_control -i 001

OSSEC HIDS agent_control. Agent information:
   Agent ID:   001
   Agent Name: sectest200
   IP address: 10.196.2.89
   Status:     Active

   Operating system:    Linux sectest200 2.6.18-128.el5 #1 SMP Wed Dec
17 11..
   Client version:      OSSEC HIDS v2.4.1
   Last keep alive:     Wed Aug 11 19:30:01 2010

   Syscheck last started  at: Wed Aug 11 17:13:44 2010
   Rootcheck last started at: Wed Aug 11 19:11:54 2010




I have this as my /var/ossec/etc/shared/agent.conf (nice and simple to
start with):

<agent_config>

  <syscheck>
    <!-- Frequency that syscheck is executed -->
    <frequency>21600</frequency>

    <!-- Directories to check  (perform all possible verifications) --
>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
  </syscheck>

</agent_config>


I'm not sure where to troubleshoot, does the agent.conf look correct?

Reply via email to