Ah! i have pretty same agent.conf
root@vmg035:/var/ossec/etc/shared# cat agent.conf
<agent_config>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 2 hours -->
<frequency>7200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- No scan at start service time -->
<scan_on_start>no</scan_on_start>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/etc/motd</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
</agent_config>
<!-- Redhat Linux Logfiles monitor -->
<agent_config name="dev01|dev01">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/vsftpd.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</agent_config>
<!-- sebfwint1 extra logfiles for ubuntu OS -->
<agent_config name="fw01server">
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.info</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/access.log</location>
</localfile>
</agent_config>
On Thu, Mar 3, 2011 at 4:39 PM, carlopmart <[email protected]> wrote:
> On 03/03/2011 10:02 PM, satish patel wrote:
>>
>> can you copy paste you agent.conf is active-respose should comes
>> under syscheck section ?
>>
>>
>> I can't disable iptable because this is my firewall server
>> (production). Best help is please copy paste you agent.conf to me.
>>
>> also i have added few custom logs to agent.conf that also not
>> working... :( look like i am doing something wrong in agent.conf
>> please someone send me full agent.conf
>>
>>
>> <!-- fw01server extra logfiles for ubuntu OS -->
>> <agent_config name="fw01server ">
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/var/log/auth.log</location>
>> </localfile>
>>
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/var/log/syslog</location>
>> </localfile>
>>
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/var/log/mail.info</location>
>> </localfile>
>>
>> <localfile>
>> <log_format>syslog</log_format>
>> <location>/var/log/dpkg.log</location>
>> </localfile>
>>
>> <localfile>
>> <log_format>apache</log_format>
>> <location>/var/log/apache2/error.log</location>
>> </localfile>
>>
>> <localfile>
>> <log_format>apache</log_format>
>> <location>/var/log/apache2/access.log</location>
>> </localfile>
>> </agent_config>
>>
>>
>>
>>
>
> this is my agent.conf for one agent:
>
> <agent_config name="rhelauthsrv">
> <syscheck>
> <frequency>79200</frequency>
> <auto_ignore>no</auto_ignore>
> <alert_new_files>yes</alert_new_files>
> <directories report_changes="yes" realtime="yes"
> check_all="yes">/etc</directories>
> <directories check_all="yes">/usr/bin,/usr/sbin,/bin,/sbin</directories>
> <ignore>/etc/adjtime</ignore>
> <ignore>/etc/aliases.db</ignore>
> <ignore>/etc/hosts.deny</ignore>
> <ignore>/etc/lvm/cache/.cache</ignore>
> <ignore>/etc/mtab</ignore>
> </syscheck>
>
> <rootcheck>
> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
>
> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
>
> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
>
> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
> </rootcheck>
>
> <active-response>
> <disabled>yes</disabled>
> </active-response>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/messages</location>
> </localfile>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/secure</location>
> </localfile>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/maillog</location>
> </localfile>
> </agent_config>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
