Hey,

Did you wait a little bit? The agent.conf is not pushed immediately
from the manager
to the agents,so depending on the traffic it can take a while (few
minutes to an hour).

Thanks,

On Tue, Aug 10, 2010 at 11:22 PM, x509v3 <[email protected]> wrote:
> I've installed a master and an agent, both seem to be working fine.  I
> decided to then expand the complexity of the system to emulate what
> I'm really looking for: centrally-managed agent configs. I thought
> this would be easy, but after googling around, it sounds like there
> are bumps.
>
> Symptom: the agent is talking to the master, but it's never picking up
> the agent.conf file.
>
> Here's what I see from the master:
> [r...@sectest100 shared]# /var/ossec/bin/agent_control -i 001
>
> OSSEC HIDS agent_control. Agent information:
>   Agent ID:   001
>   Agent Name: sectest200
>   IP address: 10.196.2.89
>   Status:     Active
>
>   Operating system:    Linux sectest200 2.6.18-128.el5 #1 SMP Wed Dec
> 17 11..
>   Client version:      OSSEC HIDS v2.4.1
>   Last keep alive:     Tue Aug 10 19:14:44 2010
>
>   Syscheck last started  at: Tue Aug 10 19:03:10 2010
>   Rootcheck last started at: Tue Aug 10 19:13:12 2010
>
> And here's the agent starting up:
> 2010/08/10 18:57:18 ossec-agentd(1410): INFO: Reading authentication
> keys file.
> 2010/08/10 18:57:18 ossec-agentd: INFO: Assigning counter for agent
> sectest200: '0:129'.
> 2010/08/10 18:57:18 ossec-agentd: INFO: Assigning sender counter:
> 2:7362
> 2010/08/10 18:57:18 ossec-agentd: INFO: Started (pid: 11984).
> 2010/08/10 18:57:18 ossec-agentd: INFO: Server IP Address: 10.192.2.89
> 2010/08/10 18:57:18 ossec-agentd: INFO: Trying to connect to server
> (10.192.2.89:1514).
> 2010/08/10 18:57:19 ossec-agentd(4102): INFO: Connected to the server
> (10.192.2.89:1514).
> 2010/08/10 18:57:22 ossec-syscheckd: INFO: Started (pid: 11992).
> 2010/08/10 18:57:22 ossec-rootcheck: INFO: Started (pid: 11992).
> 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/
> etc'.
> 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/usr/
> bin'.
> 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/usr/
> sbin'.
> 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/
> bin'.
> 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/
> sbin'.
> 2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/
> var/log/messages'.
> 2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/
> var/log/secure'.
> 2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/
> var/log/maillog'.
> 2010/08/10 18:57:24 ossec-logcollector: INFO: Started (pid: 11988).
> 2010/08/10 18:57:54 ossec-syscheckd: INFO: Starting syscheck database
> (pre-scan).
> 2010/08/10 19:01:10 ossec-syscheckd: INFO: Finished creating syscheck
> database (pre-scan completed).
> 2010/08/10 19:03:10 ossec-syscheckd: INFO: Starting syscheck scan
> (forwarding database).
> 2010/08/10 19:12:52 ossec-syscheckd: INFO: Ending syscheck scan
> (forwarding database).
> 2010/08/10 19:13:12 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2010/08/10 19:15:56 ossec-rootcheck: INFO: Ending rootcheck scan.
>
> Here's the /var/ossec/etc/shared/agent.conf (I'm trying to start
> simple):
> <agent_config>
>
>  <syscheck>
>    <!-- Frequency that syscheck is executed -->
>    <frequency>21600</frequency>
>
>    <!-- Directories to check  (perform all possible verifications) --
>>
>    <directories check_all="yes">/bin,/sbin</directories>
>
>    <!-- Files/directories to ignore -->
>    <ignore>/etc/mtab</ignore>
>    <ignore>/etc/mnttab</ignore>
>    <ignore>/etc/mail/statistics</ignore>
>    <ignore>/etc/random-seed</ignore>
>    <ignore>/etc/adjtime</ignore>
>    <ignore>/etc/httpd/logs</ignore>
>    <ignore>/etc/utmpx</ignore>
>    <ignore>/etc/wtmpx</ignore>
>    <ignore>/etc/cups/certs</ignore>
>    <ignore>/etc/dumpdates</ignore>
>    <ignore>/etc/svc/volatile</ignore>
>  </syscheck>
>
> </agent_config>
>
> As you can tell from the agent logs, it's using the standard
> ossec.conf file. The agent doesn't have the agent.conf file, and the
> status from the master indicates that it isn't using one either.
>
> I've restarted both the master and the agent a few times. No joy.
>
> I feel like I'm overlooking something simple here, but can't figure it
> out.
>
> Any hints?
>
> bill

Reply via email to