Re: [ossec-list] problem with agent.conf

Tue, 19 Oct 2010 23:51:37 -0700 

good morning

I will try this what you wrote me (sregex)

This also do not work:

<agent_config>
  <syscheck>

    <directories check_all="yes">/boot</directories>

  </syscheck>
</agent_config>

The agent log says:

010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/usr'.
2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/opt'.
2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/warn'.
2010/10/19 15:28:24 ossec-logcollector: INFO: Started (pid: 24510).

but no /boot

Mike

2010/10/19 dan (ddp) <[email protected]>

> On Tue, Oct 19, 2010 at 10:03 AM, Mike Sievers
> <[email protected]> wrote:
> > hi dan (and lis)
> > yes, the agent conf was copied and I restartet all
> >
> > but there is something different now:
> >
> > (agent.conf)
> >
> > <agent_config name='n001'>
> >  <syscheck>
> >     <ignore>/etc/ppp/chap-secrets</ignore>    <<<<<<< file is not ignored
> >     <directories check_all="yes">/lib</directories>    <<<<<< this works
> >  </syscheck>
> >  </agent_config>
> >
> > maybe the syntax is simply wrong?
> >
> > Mike
> >
>
> It looks right to me. You could try the following:
> <ignore type="sregex">^/etc/ppp/chap-secrets</ignore>
>
> But I don't think that will add anything. Which version of OSSEC are you
> using?
>
> > 2010/10/19 dan (ddp) <[email protected]>
> >>
> >> On Tue, Oct 19, 2010 at 9:38 AM, Mike Sievers
> >> <[email protected]> wrote:
> >> > Hi list
> >> >
> >> > I am using ossec with agents. But the don't use the:
> >> > /var/ossec/etc/shared/agent.conf file
> >> >
> >> > I really have no idea and no error log.
> >> > What can be happend?
> >> > What tests are possible?
> >> > agent_controls says:
> >> >
> >> > ID: 005, Name: n001, IP: 192.168.40.2, Active
> >> >
> >> > Best,
> >> > Mike
> >> >
> >>
> >> Is the agent.conf being copied to the agents? Did you restart the
> >> ossec processes on the agents?
> >> Double check your agent.conf for any typos, that's bitten me in the
> past.
> >
> >
>

Reply via email to