Re: [ossec-list] Server and agent at the same time on the same host

[carlopmart]

On 12/15/2010 07:38 PM, carlopmart wrote:


Thanks Dan.

I have installed ossec as a server disabling rootchek, syscheck and active 
response.
But when I launch ossec init script syscheckd is started. How can I prevent to 
start
syscheckd??

Thanks.

Ok, It appears that the agent and the server installed on the same machine does not 
work.

For example,

[r...@lorien alerts]# /data/services/siem/ossec/bin/agent_control -l

OSSEC HIDS agent_control. List of available agents:
   ID: 000, Name: lorien.hpulabs.org (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: lorien, IP: 172.25.70.19, Never connected

Maybe presents a problem 000 ID agent connected to localhost??.

 Agent doesn't connects.

On the client side:

2010/12/15 19:55:15 ossec-execd(1350): INFO: Active response disabled. Exiting.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Started (pid: 9241).
2010/12/15 19:55:19 ossec-rootcheck: INFO: Started (pid: 9241).
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2010/12/15 19:55:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/messages'.
2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/secure'.
2010/12/15 19:55:21 ossec-logcollector(1950): INFO: Analyzing file: 
'/var/log/maillog'.
2010/12/15 19:55:21 ossec-logcollector: INFO: Started (pid: 9237).
2010/12/15 19:56:21 ossec-syscheckd: INFO: Starting syscheck scan (forwarding 
database).
2010/12/15 19:56:21 ossec-syscheckd: WARN: Process locked. Waiting for 
permission...
2010/12/15 19:56:38 ossec-logcollector: WARN: Process locked. Waiting for 
permission...

 At this point I have two questions:

 a) Is it possible to assign hostname parameter to ALL server process??
 b) Is it possible to bind ALL serve process to a specific IP? I know local_ip 
param to use under ossec.conf, but it is only for listen, not to bind.

Thanks.


--
CL Martinez
carlopmart {at} gmail {d0t} com