Regarding agent.conf logfiles i found it take sometime to work. we should wait few min after restart service.
On Thu, Mar 3, 2011 at 4:02 PM, satish patel <[email protected]> wrote: > can you copy paste you agent.conf is active-respose should comes > under syscheck section ? > > > I can't disable iptable because this is my firewall server > (production). Best help is please copy paste you agent.conf to me. > > also i have added few custom logs to agent.conf that also not > working... :( look like i am doing something wrong in agent.conf > please someone send me full agent.conf > > > <!-- fw01server extra logfiles for ubuntu OS --> > <agent_config name="fw01server "> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/auth.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/syslog</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/mail.info</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/dpkg.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/apache2/error.log</location> > </localfile> > > <localfile> > <log_format>apache</log_format> > <location>/var/log/apache2/access.log</location> > </localfile> > </agent_config> > > > > > On Thu, Mar 3, 2011 at 3:43 PM, carlopmart <[email protected]> wrote: >> It is strange. I have tried on one agent and it works putting active >> response under agent.conf instead of ossec.conf ... >> >> Have you tried to disable iptables at startup and launch ossec process on >> the agent side using centralized configuration?? >> >> >> On 03/03/2011 08:47 PM, satish patel wrote: >>> >>> That is working!! >>> >>> I need everything in agent.conf not ossec.conf It would be painful to >>> manager more than 50 hosts by editing each ossec.conf file.. at >>> auditing time we need AR disable and after auditing we need that >>> option enable. I meant we are running few scanner and bunch of >>> security vulnerability tools. >>> >>> Just wanted to know its possible to disable AR via agent.conf or not ? >>> >>> -Satish >>> >>> >>> >>> On Thu, Mar 3, 2011 at 2:30 PM, carlopmart<[email protected]> wrote: >>>> >>>> Try to put active response section on ossec.conf on the agent side and >>>> restart agent. >>>> >>>> >>>> On 03/03/2011 08:25 PM, satish patel wrote: >>>>> >>>>> Yes, I reload agent 10 time. But still AR is there. md5sum and >>>>> everything is correct. What other way to disable AR? >>>>> >>>>> >>>>> root@vmg035:/var/ossec/etc/shared# md5sum >>>>> /var/ossec/etc/shared/agent.conf >>>>> f4c01366249fcc231d8015e616f76aee /var/ossec/etc/shared/agent.conf >>>>> >>>>> >>>>> root@vmg035:/var/ossec/etc/shared# /var/ossec/bin/agent_control -i 002 >>>>> >>>>> OSSEC HIDS agent_control. Agent information: >>>>> Agent ID: 002 >>>>> Agent Name: devserver1 >>>>> IP address: 172.24.10.51 >>>>> Status: Active >>>>> >>>>> Operating system: Linux devserver1.west.com 2.6.9-89.0.25.ELsmp #1 >>>>> S.. >>>>> Client version: OSSEC HIDS v2.5.1 / >>>>> f4c01366249fcc231d8015e616f76aee >>>>> Last keep alive: Thu Mar 3 11:21:51 2011 >>>>> >>>>> Syscheck last started at: Thu Mar 3 09:41:15 2011 >>>>> Rootcheck last started at: Thu Mar 3 09:55:00 2011 >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Mar 3, 2011 at 1:25 PM, carlopmart<[email protected]> >>>>> wrote: >>>>>> >>>>>> On 03/03/2011 07:05 PM, satish patel wrote: >>>>>>> >>>>>>> Thanks bro, >>>>>>> >>>>>>> That has been fix. Now i want to disable AR on specific agent and i >>>>>>> add following code in agent.conf but it doesn't working... still AR is >>>>>>> active on that node >>>>>>> >>>>>>> <agent_config name="devserver1"> >>>>>>> <active-response> >>>>>>> <disabled>yes</disabled> >>>>>>> </active-response> >>>>>>> </agent_config> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> Agent has reloaded agent.conf file?? try with this command: >>>>>> >>>>>> /opt/ossec/bin/agent_control -i 001 >>>>>> >>>>>> OSSEC HIDS agent_control. Agent information: >>>>>> Agent ID: 001 >>>>>> Agent Name: rhelauthsrv >>>>>> IP address: 172.25.50.10 >>>>>> Status: Active >>>>>> >>>>>> Operating system: Linux rhelsrv01.hpulabs.org >>>>>> 2.6.32-71.14.1.el6.x86_64 >>>>>> .. >>>>>> Client version: OSSEC HIDS v2.5.1 / >>>>>> 689ae94cd232e6b5c503e6148a08b49b >>>>>> Last keep alive: Thu Mar 3 19:23:09 2011 >>>>>> >>>>>> Syscheck last started at: Thu Mar 3 18:14:44 2011 >>>>>> Rootcheck last started at: Thu Mar 3 18:19:19 2011 >>>>>> >>>>>> >>>>>> md5sum needs to be the same on agent and server. And try to restart >>>>>> ossec >>>>>> services on the agent side if needed ... >>>>>> >>>>>> -- >>>>>> CL Martinez >>>>>> carlopmart {at} gmail {d0t} com >>>>>> >>>> >>>> >>>> -- >>>> CL Martinez >>>> carlopmart {at} gmail {d0t} com >>>> >> >> >> -- >> CL Martinez >> carlopmart {at} gmail {d0t} com >> >
