Re: [ossec-list] Re: Can someone please help me figuring out what is wrong with this agent configuration file

Thu, 02 Dec 2010 13:03:13 -0800

I tried the solution you suggested and it does not rectify the problem. Still getting the same error message on the ossec.conf file.
The other question I had on this can I specify a range for the number of lines for an entry, (for example: let's say 1 to 50), in the case of a multi-line log_format. 


That does not solve
On 12/2/10 2:06 PM, dan (ddp) wrote:

It was pointed out to me on IRC that the<log_format>  should include
the number of lines expected in an event.
For example if each entry is 10 lines long:
<log_format>multi-line: 10</log_format>

On Wed, Dec 1, 2010 at 3:43 PM, Shaikat Majumdar<[email protected]>  wrote:

   

I have tested the multi-line stuff by using the forensic analysis feature of
log files (cat /tmp/foo.log | /var/ossec/bin/ossec-logtest -a) and it works.
That is what led me to believe this might be a non-issue or maybe a
syntactical issue.

Here is the config section in the ossec.conf file which is causing the
problem.

<agent_config name="foo">
   <localfile>
     <log_format>multi-line</log_format>
     <location>/tmp/foo.log</location>
   </localfile>
</agent_config>

And, this is the error message:

ossec-config(1230): ERROR: Invalid element in the configuration:
'agent_config'.
ossec-config(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.
ossec-testrule(1202): ERROR: Configuration error at
'/var/ossec/etc/ossec.conf'. Exiting.

On Wed, Dec 1, 2010 at 2:23 PM, dan (ddp)<[email protected]>  wrote:

     

On Wed, Dec 1, 2010 at 1:18 PM, Shaikat<[email protected]>  wrote:

       

Yes I get the same error.

Also, I want to configure my agents centrally so that is why I am
using the agent.conf file.


         

Understood, it was just a test. I haven't tried the multiline stuff yet.


       

However, as I stated above the error does not prevent the agent from
restarting.
Maybe this is a non-issue. I just wanted to clarify whether this error
message can be safely ignored.



         

It looks like a real error to me. Can you post the config section
that's failing (you can obfuscate the logfile location if you want)?


       

On Dec 1, 12:36 pm, "dan (ddp)"<[email protected]>  wrote:

         

On Wed, Dec 1, 2010 at 12:29 PM, Shaikat<[email protected]>  wrote:

           

Hi,

             

           

Thanks for answering my question.

             

           

Another related question to the agent.conf file. As you can see I am
using the multi-line log_format introduced in version 2.5.1.

             

           

When I try to recycle an agent I get this error:

             

           

Started ossec-syscheckd...
Completed.
Killing ossec-logcollector ..
Killing ossec-syscheckd ..
Killing ossec-agentd ..
Killing ossec-execd ..
OSSEC HIDS v2.5.1 Stopped
Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
Started ossec-execd...
Started ossec-agentd...
2010/11/30 17:55:39 ossec-config(1235): ERROR: Invalid value for
element 'log_format': multi-line.
2010/11/30 17:55:39 ossec-config(1202): ERROR: Configuration error at
'/var/ossec/etc/shared/agent.conf'. Exiting.Started ossec-
logcollector...

             

           

Both the server and the client are running the same version of OSSEC
HIDS viz., version 2.5.1.

             

           

Inspite of the above error the agent starts up fine.

             

           

Any idea what this error message means and if it is not an error but
just a warning is there anyway this message can be suppressed ?

             

           

Thanks again,
Shaikat

             

If you put that part of the configuration in the ossec.conf do you
still get the error?










           

On Dec 1, 12:16 pm, "dan (ddp)"<[email protected]>  wrote:

             

2010/12/1 Shaikat Majumdar<[email protected]>:

               

           

I have created a agent.conf file for centralized agent
configuration
(/var/ossec/etc/shared/agent.conf). The file is attached.

                 

           

I am trying to test OSSEC rules/config before deploying these
changes.

                 

           

So I followed the instructions posted on the link

                 

               

http://www.ossec.net/main/manual/creating-a-separated-directory-for-t...

                   

and then tried to run the following command.

                 

           

I created the directory ossectest under "~/sandbox" instead of
using the
"/tmp" directory.

                 

           

/var/ossec/bin/ossec-logtest -D ~/sandbox/ossectest/ -c
~/sandbox/ossectest/etc/shared/agent.conf

                 

           

You need to use etc/ossec.conf with logtest, it doesn't check on the
agent.conf.

               

           

2010/12/01 12:07:50 ossec-config(1230): ERROR: Invalid element in
the
configuration: 'agent_config'.
2010/12/01 12:07:50 ossec-testrule(1202): ERROR: Configuration
error at
'/home/smajumdar/sandbox/ossectest/etc/shared/agent.conf'.
Exiting.

                 

           

Can someone explain what this error message means and how it can
be
rectified ??

                 

           

I am using OSSEC HIDS v2.5.1

                 

           

/var/ossec/bin/ossec-logtest -V

                 

           

OSSEC HIDS v2.5.1 - Trend Micro Inc.

                 

           

This program is free software; you can redistribute it and/or
modify
it under the terms of the GNU General Public License (version 2)
as
published by the Free Software Foundation. For more details, go to
http://www.ossec.net/main/license/

                 

           

Thanks,
Shaikat Majumdar
Millburn Ridgefield Corporation

                 



     
























					Reply via email to