I have tested the multi-line stuff by using the forensic analysis feature of
log files (cat /tmp/foo.log | /var/ossec/bin/ossec-logtest -a) and it works.
That is what led me to believe this might be a non-issue or maybe a
syntactical issue.
Here is the config section in the ossec.conf file which is causing the
problem.
<agent_config name="foo">
<localfile>
<log_format>multi-line</log_format>
<location>/tmp/foo.log</location>
</localfile>
</agent_config>
And, this is the error message:
ossec-config(1230): ERROR: Invalid element in the configuration:
'agent_config'.
ossec-config(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
ossec-testrule(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
On Wed, Dec 1, 2010 at 2:23 PM, dan (ddp) <[email protected]> wrote:
> On Wed, Dec 1, 2010 at 1:18 PM, Shaikat <[email protected]> wrote:
> > Yes I get the same error.
> >
> > Also, I want to configure my agents centrally so that is why I am
> > using the agent.conf file.
> >
>
> Understood, it was just a test. I haven't tried the multiline stuff yet.
>
> > However, as I stated above the error does not prevent the agent from
> > restarting.
> > Maybe this is a non-issue. I just wanted to clarify whether this error
> > message can be safely ignored.
> >
> >
>
> It looks like a real error to me. Can you post the config section
> that's failing (you can obfuscate the logfile location if you want)?
>
> > On Dec 1, 12:36 pm, "dan (ddp)" <[email protected]> wrote:
> >> On Wed, Dec 1, 2010 at 12:29 PM, Shaikat <[email protected]> wrote:
> >> > Hi,
> >>
> >> > Thanks for answering my question.
> >>
> >> > Another related question to the agent.conf file. As you can see I am
> >> > using the multi-line log_format introduced in version 2.5.1.
> >>
> >> > When I try to recycle an agent I get this error:
> >>
> >> > Started ossec-syscheckd...
> >> > Completed.
> >> > Killing ossec-logcollector ..
> >> > Killing ossec-syscheckd ..
> >> > Killing ossec-agentd ..
> >> > Killing ossec-execd ..
> >> > OSSEC HIDS v2.5.1 Stopped
> >> > Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
> >> > Started ossec-execd...
> >> > Started ossec-agentd...
> >> > 2010/11/30 17:55:39 ossec-config(1235): ERROR: Invalid value for
> >> > element 'log_format': multi-line.
> >> > 2010/11/30 17:55:39 ossec-config(1202): ERROR: Configuration error at
> >> > '/var/ossec/etc/shared/agent.conf'. Exiting.Started ossec-
> >> > logcollector...
> >>
> >> > Both the server and the client are running the same version of OSSEC
> >> > HIDS viz., version 2.5.1.
> >>
> >> > Inspite of the above error the agent starts up fine.
> >>
> >> > Any idea what this error message means and if it is not an error but
> >> > just a warning is there anyway this message can be suppressed ?
> >>
> >> > Thanks again,
> >> > Shaikat
> >>
> >> If you put that part of the configuration in the ossec.conf do you
> >> still get the error?
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> > On Dec 1, 12:16 pm, "dan (ddp)" <[email protected]> wrote:
> >> >> 2010/12/1 Shaikat Majumdar <[email protected]>:
> >>
> >> >> > I have created a agent.conf file for centralized agent
> configuration
> >> >> > (/var/ossec/etc/shared/agent.conf). The file is attached.
> >>
> >> >> > I am trying to test OSSEC rules/config before deploying these
> changes.
> >>
> >> >> > So I followed the instructions posted on the link
> >> >> >
> http://www.ossec.net/main/manual/creating-a-separated-directory-for-t...
> >> >> > and then tried to run the following command.
> >>
> >> >> > I created the directory ossectest under "~/sandbox" instead of
> using the
> >> >> > "/tmp" directory.
> >>
> >> >> > /var/ossec/bin/ossec-logtest -D ~/sandbox/ossectest/ -c
> >> >> > ~/sandbox/ossectest/etc/shared/agent.conf
> >>
> >> >> You need to use etc/ossec.conf with logtest, it doesn't check on the
> agent.conf.
> >>
> >> >> > 2010/12/01 12:07:50 ossec-config(1230): ERROR: Invalid element in
> the
> >> >> > configuration: 'agent_config'.
> >> >> > 2010/12/01 12:07:50 ossec-testrule(1202): ERROR: Configuration
> error at
> >> >> > '/home/smajumdar/sandbox/ossectest/etc/shared/agent.conf'. Exiting.
> >>
> >> >> > Can someone explain what this error message means and how it can be
> >> >> > rectified ??
> >>
> >> >> > I am using OSSEC HIDS v2.5.1
> >>
> >> >> > /var/ossec/bin/ossec-logtest -V
> >>
> >> >> > OSSEC HIDS v2.5.1 - Trend Micro Inc.
> >>
> >> >> > This program is free software; you can redistribute it and/or
> modify
> >> >> > it under the terms of the GNU General Public License (version 2) as
> >> >> > published by the Free Software Foundation. For more details, go to
> >> >> >http://www.ossec.net/main/license/
> >>
> >> >> > Thanks,
> >> >> > Shaikat Majumdar
> >> >> > Millburn Ridgefield Corporation
>
