Always start with the server, then move on to the agents.
On Thu, Oct 21, 2010 at 6:20 AM, Mike Sievers <[email protected]> wrote: > Hi Dan, > > my test config is very short > > I have now changed <agent_config> to <agent_config os='Linux'> > > Now it works > <agent_config os='Linux'> > <syscheck> > <directories check_all="yes">/boot</directories> > <ignore>/etc/dhcpd.conf</ignore> > <ignore>/var/log/mail.info</ignore> > <ignore>/var/log/mail.warn</ignore> > <ignore>/var/log/mail.err</ignore> > <ignore>/etc/ppp/chap-secrets</ignore> > </syscheck> > </agent_config> > > well, I will look how to update. > Should I start withe the server or the agents? > > Mike > > 2010/10/20 dan (ddp) <[email protected]> >> >> Please post your entire agent.conf >> You should also consider updating to 2.5.1. 2.3 is very old at this point. >> >> On Wed, Oct 20, 2010 at 12:49 AM, Mike Sievers >> <[email protected]> wrote: >> > good morning >> > >> > I will try this what you wrote me (sregex) >> > >> > This also do not work: >> > >> > <agent_config> >> > <syscheck> >> > >> > <directories check_all="yes">/boot</directories> >> > >> > </syscheck> >> > </agent_config> >> > >> > The agent log says: >> > >> > 010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/etc'. >> > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/usr'. >> > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/bin'. >> > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: >> > '/sbin'. >> > 2010/10/19 15:28:22 ossec-syscheckd: INFO: Monitoring directory: '/opt'. >> > 2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/messages'. >> > 2010/10/19 15:28:24 ossec-logcollector(1950): INFO: Analyzing file: >> > '/var/log/warn'. >> > 2010/10/19 15:28:24 ossec-logcollector: INFO: Started (pid: 24510). >> > >> > but no /boot >> > >> > Mike >> > >> > 2010/10/19 dan (ddp) <[email protected]> >> >> >> >> On Tue, Oct 19, 2010 at 10:03 AM, Mike Sievers >> >> <[email protected]> wrote: >> >> > hi dan (and lis) >> >> > yes, the agent conf was copied and I restartet all >> >> > >> >> > but there is something different now: >> >> > >> >> > (agent.conf) >> >> > >> >> > <agent_config name='n001'> >> >> > <syscheck> >> >> > <ignore>/etc/ppp/chap-secrets</ignore> <<<<<<< file is not >> >> > ignored >> >> > <directories check_all="yes">/lib</directories> <<<<<< this >> >> > works >> >> > </syscheck> >> >> > </agent_config> >> >> > >> >> > maybe the syntax is simply wrong? >> >> > >> >> > Mike >> >> > >> >> >> >> It looks right to me. You could try the following: >> >> <ignore type="sregex">^/etc/ppp/chap-secrets</ignore> >> >> >> >> But I don't think that will add anything. Which version of OSSEC are >> >> you >> >> using? >> >> >> >> > 2010/10/19 dan (ddp) <[email protected]> >> >> >> >> >> >> On Tue, Oct 19, 2010 at 9:38 AM, Mike Sievers >> >> >> <[email protected]> wrote: >> >> >> > Hi list >> >> >> > >> >> >> > I am using ossec with agents. But the don't use the: >> >> >> > /var/ossec/etc/shared/agent.conf file >> >> >> > >> >> >> > I really have no idea and no error log. >> >> >> > What can be happend? >> >> >> > What tests are possible? >> >> >> > agent_controls says: >> >> >> > >> >> >> > ID: 005, Name: n001, IP: 192.168.40.2, Active >> >> >> > >> >> >> > Best, >> >> >> > Mike >> >> >> > >> >> >> >> >> >> Is the agent.conf being copied to the agents? Did you restart the >> >> >> ossec processes on the agents? >> >> >> Double check your agent.conf for any typos, that's bitten me in the >> >> >> past. >> >> > >> >> > >> > >> > > >
