Hey, Did you wait a little bit? The agent.conf is not pushed immediately from the manager to the agents,so depending on the traffic it can take a while (few minutes to an hour).
Thanks, On Tue, Aug 10, 2010 at 11:22 PM, x509v3 <[email protected]> wrote: > I've installed a master and an agent, both seem to be working fine. I > decided to then expand the complexity of the system to emulate what > I'm really looking for: centrally-managed agent configs. I thought > this would be easy, but after googling around, it sounds like there > are bumps. > > Symptom: the agent is talking to the master, but it's never picking up > the agent.conf file. > > Here's what I see from the master: > [r...@sectest100 shared]# /var/ossec/bin/agent_control -i 001 > > OSSEC HIDS agent_control. Agent information: > Agent ID: 001 > Agent Name: sectest200 > IP address: 10.196.2.89 > Status: Active > > Operating system: Linux sectest200 2.6.18-128.el5 #1 SMP Wed Dec > 17 11.. > Client version: OSSEC HIDS v2.4.1 > Last keep alive: Tue Aug 10 19:14:44 2010 > > Syscheck last started at: Tue Aug 10 19:03:10 2010 > Rootcheck last started at: Tue Aug 10 19:13:12 2010 > > And here's the agent starting up: > 2010/08/10 18:57:18 ossec-agentd(1410): INFO: Reading authentication > keys file. > 2010/08/10 18:57:18 ossec-agentd: INFO: Assigning counter for agent > sectest200: '0:129'. > 2010/08/10 18:57:18 ossec-agentd: INFO: Assigning sender counter: > 2:7362 > 2010/08/10 18:57:18 ossec-agentd: INFO: Started (pid: 11984). > 2010/08/10 18:57:18 ossec-agentd: INFO: Server IP Address: 10.192.2.89 > 2010/08/10 18:57:18 ossec-agentd: INFO: Trying to connect to server > (10.192.2.89:1514). > 2010/08/10 18:57:19 ossec-agentd(4102): INFO: Connected to the server > (10.192.2.89:1514). > 2010/08/10 18:57:22 ossec-syscheckd: INFO: Started (pid: 11992). > 2010/08/10 18:57:22 ossec-rootcheck: INFO: Started (pid: 11992). > 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2010/08/10 18:57:22 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/messages'. > 2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/secure'. > 2010/08/10 18:57:24 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/maillog'. > 2010/08/10 18:57:24 ossec-logcollector: INFO: Started (pid: 11988). > 2010/08/10 18:57:54 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/08/10 19:01:10 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2010/08/10 19:03:10 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/08/10 19:12:52 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > 2010/08/10 19:13:12 ossec-rootcheck: INFO: Starting rootcheck scan. > 2010/08/10 19:15:56 ossec-rootcheck: INFO: Ending rootcheck scan. > > Here's the /var/ossec/etc/shared/agent.conf (I'm trying to start > simple): > <agent_config> > > <syscheck> > <!-- Frequency that syscheck is executed --> > <frequency>21600</frequency> > > <!-- Directories to check (perform all possible verifications) -- >> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/mnttab</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > <ignore>/etc/utmpx</ignore> > <ignore>/etc/wtmpx</ignore> > <ignore>/etc/cups/certs</ignore> > <ignore>/etc/dumpdates</ignore> > <ignore>/etc/svc/volatile</ignore> > </syscheck> > > </agent_config> > > As you can tell from the agent logs, it's using the standard > ossec.conf file. The agent doesn't have the agent.conf file, and the > status from the master indicates that it isn't using one either. > > I've restarted both the master and the agent a few times. No joy. > > I feel like I'm overlooking something simple here, but can't figure it > out. > > Any hints? > > bill
