On Wed, Dec 1, 2010 at 1:18 PM, Shaikat <[email protected]> wrote: > Yes I get the same error. > > Also, I want to configure my agents centrally so that is why I am > using the agent.conf file. >
Understood, it was just a test. I haven't tried the multiline stuff yet. > However, as I stated above the error does not prevent the agent from > restarting. > Maybe this is a non-issue. I just wanted to clarify whether this error > message can be safely ignored. > > It looks like a real error to me. Can you post the config section that's failing (you can obfuscate the logfile location if you want)? > On Dec 1, 12:36 pm, "dan (ddp)" <[email protected]> wrote: >> On Wed, Dec 1, 2010 at 12:29 PM, Shaikat <[email protected]> wrote: >> > Hi, >> >> > Thanks for answering my question. >> >> > Another related question to the agent.conf file. As you can see I am >> > using the multi-line log_format introduced in version 2.5.1. >> >> > When I try to recycle an agent I get this error: >> >> > Started ossec-syscheckd... >> > Completed. >> > Killing ossec-logcollector .. >> > Killing ossec-syscheckd .. >> > Killing ossec-agentd .. >> > Killing ossec-execd .. >> > OSSEC HIDS v2.5.1 Stopped >> > Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)... >> > Started ossec-execd... >> > Started ossec-agentd... >> > 2010/11/30 17:55:39 ossec-config(1235): ERROR: Invalid value for >> > element 'log_format': multi-line. >> > 2010/11/30 17:55:39 ossec-config(1202): ERROR: Configuration error at >> > '/var/ossec/etc/shared/agent.conf'. Exiting.Started ossec- >> > logcollector... >> >> > Both the server and the client are running the same version of OSSEC >> > HIDS viz., version 2.5.1. >> >> > Inspite of the above error the agent starts up fine. >> >> > Any idea what this error message means and if it is not an error but >> > just a warning is there anyway this message can be suppressed ? >> >> > Thanks again, >> > Shaikat >> >> If you put that part of the configuration in the ossec.conf do you >> still get the error? >> >> >> >> >> >> >> >> >> >> > On Dec 1, 12:16 pm, "dan (ddp)" <[email protected]> wrote: >> >> 2010/12/1 Shaikat Majumdar <[email protected]>: >> >> >> > I have created a agent.conf file for centralized agent configuration >> >> > (/var/ossec/etc/shared/agent.conf). The file is attached. >> >> >> > I am trying to test OSSEC rules/config before deploying these changes. >> >> >> > So I followed the instructions posted on the link >> >> >http://www.ossec.net/main/manual/creating-a-separated-directory-for-t... >> >> > and then tried to run the following command. >> >> >> > I created the directory ossectest under "~/sandbox" instead of using the >> >> > "/tmp" directory. >> >> >> > /var/ossec/bin/ossec-logtest -D ~/sandbox/ossectest/ -c >> >> > ~/sandbox/ossectest/etc/shared/agent.conf >> >> >> You need to use etc/ossec.conf with logtest, it doesn't check on the >> >> agent.conf. >> >> >> > 2010/12/01 12:07:50 ossec-config(1230): ERROR: Invalid element in the >> >> > configuration: 'agent_config'. >> >> > 2010/12/01 12:07:50 ossec-testrule(1202): ERROR: Configuration error at >> >> > '/home/smajumdar/sandbox/ossectest/etc/shared/agent.conf'. Exiting. >> >> >> > Can someone explain what this error message means and how it can be >> >> > rectified ?? >> >> >> > I am using OSSEC HIDS v2.5.1 >> >> >> > /var/ossec/bin/ossec-logtest -V >> >> >> > OSSEC HIDS v2.5.1 - Trend Micro Inc. >> >> >> > This program is free software; you can redistribute it and/or modify >> >> > it under the terms of the GNU General Public License (version 2) as >> >> > published by the Free Software Foundation. For more details, go to >> >> >http://www.ossec.net/main/license/ >> >> >> > Thanks, >> >> > Shaikat Majumdar >> >> > Millburn Ridgefield Corporation
