can you copy paste you agent.conf is active-respose should comes
under syscheck section ?
I can't disable iptable because this is my firewall server
(production). Best help is please copy paste you agent.conf to me.
also i have added few custom logs to agent.conf that also not
working... :( look like i am doing something wrong in agent.conf
please someone send me full agent.conf
<!-- fw01server extra logfiles for ubuntu OS -->
<agent_config name="fw01server ">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.info</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
</agent_config>
On Thu, Mar 3, 2011 at 3:43 PM, carlopmart <[email protected]> wrote:
> It is strange. I have tried on one agent and it works putting active
> response under agent.conf instead of ossec.conf ...
>
> Have you tried to disable iptables at startup and launch ossec process on
> the agent side using centralized configuration??
>
>
> On 03/03/2011 08:47 PM, satish patel wrote:
>>
>> That is working!!
>>
>> I need everything in agent.conf not ossec.conf It would be painful to
>> manager more than 50 hosts by editing each ossec.conf file.. at
>> auditing time we need AR disable and after auditing we need that
>> option enable. I meant we are running few scanner and bunch of
>> security vulnerability tools.
>>
>> Just wanted to know its possible to disable AR via agent.conf or not ?
>>
>> -Satish
>>
>>
>>
>> On Thu, Mar 3, 2011 at 2:30 PM, carlopmart<[email protected]> wrote:
>>>
>>> Try to put active response section on ossec.conf on the agent side and
>>> restart agent.
>>>
>>>
>>> On 03/03/2011 08:25 PM, satish patel wrote:
>>>>
>>>> Yes, I reload agent 10 time. But still AR is there. md5sum and
>>>> everything is correct. What other way to disable AR?
>>>>
>>>>
>>>> root@vmg035:/var/ossec/etc/shared# md5sum
>>>> /var/ossec/etc/shared/agent.conf
>>>> f4c01366249fcc231d8015e616f76aee /var/ossec/etc/shared/agent.conf
>>>>
>>>>
>>>> root@vmg035:/var/ossec/etc/shared# /var/ossec/bin/agent_control -i 002
>>>>
>>>> OSSEC HIDS agent_control. Agent information:
>>>> Agent ID: 002
>>>> Agent Name: devserver1
>>>> IP address: 172.24.10.51
>>>> Status: Active
>>>>
>>>> Operating system: Linux devserver1.west.com 2.6.9-89.0.25.ELsmp #1
>>>> S..
>>>> Client version: OSSEC HIDS v2.5.1 /
>>>> f4c01366249fcc231d8015e616f76aee
>>>> Last keep alive: Thu Mar 3 11:21:51 2011
>>>>
>>>> Syscheck last started at: Thu Mar 3 09:41:15 2011
>>>> Rootcheck last started at: Thu Mar 3 09:55:00 2011
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Mar 3, 2011 at 1:25 PM, carlopmart<[email protected]>
>>>> wrote:
>>>>>
>>>>> On 03/03/2011 07:05 PM, satish patel wrote:
>>>>>>
>>>>>> Thanks bro,
>>>>>>
>>>>>> That has been fix. Now i want to disable AR on specific agent and i
>>>>>> add following code in agent.conf but it doesn't working... still AR is
>>>>>> active on that node
>>>>>>
>>>>>> <agent_config name="devserver1">
>>>>>> <active-response>
>>>>>> <disabled>yes</disabled>
>>>>>> </active-response>
>>>>>> </agent_config>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Agent has reloaded agent.conf file?? try with this command:
>>>>>
>>>>> /opt/ossec/bin/agent_control -i 001
>>>>>
>>>>> OSSEC HIDS agent_control. Agent information:
>>>>> Agent ID: 001
>>>>> Agent Name: rhelauthsrv
>>>>> IP address: 172.25.50.10
>>>>> Status: Active
>>>>>
>>>>> Operating system: Linux rhelsrv01.hpulabs.org
>>>>> 2.6.32-71.14.1.el6.x86_64
>>>>> ..
>>>>> Client version: OSSEC HIDS v2.5.1 /
>>>>> 689ae94cd232e6b5c503e6148a08b49b
>>>>> Last keep alive: Thu Mar 3 19:23:09 2011
>>>>>
>>>>> Syscheck last started at: Thu Mar 3 18:14:44 2011
>>>>> Rootcheck last started at: Thu Mar 3 18:19:19 2011
>>>>>
>>>>>
>>>>> md5sum needs to be the same on agent and server. And try to restart
>>>>> ossec
>>>>> services on the agent side if needed ...
>>>>>
>>>>> --
>>>>> CL Martinez
>>>>> carlopmart {at} gmail {d0t} com
>>>>>
>>>
>>>
>>> --
>>> CL Martinez
>>> carlopmart {at} gmail {d0t} com
>>>
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
