On Wed, Aug 11, 2010 at 10:42 PM, x509v3 <[email protected]> wrote: > Sorry if this is a repeat, but I haven't seen my message appear in the > group after a day...trying again. > > I have a working master-agent setup, and am now trying to do remotely- > managed agents so that I can simplify and centralize the configs. I > can't seem to get the agent to "take" the agent.conf, no matter what I > try it always seems to use its own locally-stored config. I've > restared both the server and agent, and also tried restarting the > agent via the agent_control too. No joy. > > It's my understanding from the docs that I'll see an md5sum of the > agent.conf appearing in the version string. I'm not seeing that, I > still see "2.4.1". Furthermore, I don't see an agent.conf appear on > the remote agent filesystem, and when I add new directories to scan > within the agent.conf, those are not done on the agent. > > [r...@sectest100 bin]# ./agent_control -l > > OSSEC HIDS agent_control. List of available agents: > ID: 000, Name: sectest100 (server), IP: 127.0.0.1, Active/Local > ID: 001, Name: sectest200, IP: 10.196.2.89, Active > > [r...@sectest100 bin]# ./agent_control -i 001 > > OSSEC HIDS agent_control. Agent information: > Agent ID: 001 > Agent Name: sectest200 > IP address: 10.196.2.89 > Status: Active > > Operating system: Linux sectest200 2.6.18-128.el5 #1 SMP Wed Dec > 17 11.. > Client version: OSSEC HIDS v2.4.1 > Last keep alive: Wed Aug 11 19:30:01 2010 > > Syscheck last started at: Wed Aug 11 17:13:44 2010 > Rootcheck last started at: Wed Aug 11 19:11:54 2010 > > > > > I have this as my /var/ossec/etc/shared/agent.conf (nice and simple to > start with): > > <agent_config> > > <syscheck> > <!-- Frequency that syscheck is executed --> > <frequency>21600</frequency> > > <!-- Directories to check (perform all possible verifications) -- >> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > </syscheck> > > </agent_config> > > > I'm not sure where to troubleshoot, does the agent.conf look correct? >
I don't see anything that strikes me as wrong. You might get errors on the agent about repetitions in syscheck directories, since I think /bin and /sbin are covered in the default ossec.conf, but I think those can be safely ignored. The transfer isn't instantaneous, but restarting the server should help speed it up. On the agent, what files are in the ossec/etc/shared directory (check permissions too)?
