I just posted something similar to what you are reporting reg....I
removed all but this from my client's ossec.conf...
<ossec_config>
<client>
<server-ip>128.194.198.99</server-ip>
</client>
</ossec_config>
The agent.conf still hasn't been pushed to the clients after 11 hours,
and as expected the missing items from conf throw the following errors
at command line
2011/06/06 22:29:09 ossec-logcollector(1225): INFO: SIGNAL Received.
Exit Cleaning...
2011/06/06 22:29:09 ossec-execd(1314): INFO: Shutdown received.
Deleting responses.
2011/06/06 22:29:09 ossec-execd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/06 22:29:09 ossec-agentd(1225): INFO: SIGNAL Received. Exit
Cleaning...
2011/06/06 22:29:09 ossec-execd: INFO: Started (pid: 1648).
2011/06/06 22:29:10 ossec-agentd(1410): INFO: Reading authentication
keys file.
2011/06/06 22:29:10 ossec-agentd: INFO: Assigning counter for agent
client1: '4:5087'.
2011/06/06 22:29:10 ossec-agentd: INFO: Assigning sender counter:
43:5208
2011/06/06 22:29:10 ossec-logcollector(1905): INFO: No file configured
to monitor.
2011/06/06 22:29:10 ossec-agentd: INFO: Started (pid: 1652).
2011/06/06 22:29:10 ossec-agentd: INFO: Server IP Address: 0.0.0.0
2011/06/06 22:29:10 ossec-agentd: INFO: Trying to connect to server
(0.0.0.0:1514).
2011/06/06 22:29:10 ossec-syscheckd(1702): INFO: No directory provided
for syscheck to monitor.
2011/06/06 22:29:11 ossec-agentd(4102): INFO: Connected to the server
(0.0.0.0:1514).
2011/06/06 22:29:16 ossec-logcollector: INFO: Started (pid: 1679).
I'll report back, if/when the agent.conf gets pushed out, on how that
went.
- Trey
On Jun 7, 9:35 am, reg <[email protected]> wrote:
> Christopher,
>
> I am curious how you got this to work. I get all sorts of errors
> trying that.
>
> 2011/06/07 13:28:22 ossec-syscheckd(1702): INFO: No directory provided
> for syscheck to monitor.
> 2011/06/07 13:28:22 ossec-syscheckd: WARN: Syscheck disabled.
> 2011/06/07 13:28:22 ossec-rootcheck: System audit file not configured.
> 2011/06/07 13:28:23 ossec-agentd(4102): INFO: Connected to the server
> (x.x.x.x:1514).
> 2011/06/07 13:28:26 ossec-syscheckd: INFO: Started (pid: 13684).
> 2011/06/07 13:28:26 ossec-rootcheck: INFO: Started (pid: 13684).
> 2011/06/07 13:28:28 ossec-logcollector: INFO: Started (pid: 13680).
> 2011/06/07 13:30:00 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_files file
> configured.
> 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_trojans file
> configured.
> 2011/06/07 13:42:27 ossec-rootcheck: INFO: Ending rootcheck scan.
> 2011/06/07 13:47:27 ossec-syscheckd(1105): ERROR: Attempted to use
> null string.
> 2011/06/07 14:02:49 ossec-syscheckd(1105): ERROR: Attempted to use
> null string.
> 2011/06/07 14:18:11 ossec-syscheckd(1105): ERROR: Attempted to use
> null string.
>
> I would prefer only having the IP address in the ossec.conf file.
>
> -Reggie
>
> On Jun 6, 2:03 pm, "dan (ddp)" <[email protected]> wrote:
>
>
>
>
>
>
>
> > When there's a conflict the agent's ossec.conf is generally used. I
> > find it's best to remove everything except the server-ip setting from
> > the agent ossec.conf files.
>
> > On Mon, Jun 6, 2011 at 8:50 AM, Christopher Moraes
>
> > <[email protected]> wrote:
> > > Hi Frank,
> > > If I create an agent.conf file on the server, will it overwrite the
> > > settings
> > > of the agent's local ossec.conf or are the two configs merged in some way?
>
> > > On Mon, Jun 6, 2011 at 6:29 AM, Frank Stefan Sundberg Solli
> > > <[email protected]> wrote:
>
> > >> Hi.
>
> > >> The file can be found in shared/agent.conf
>
> > >> On Mon, Jun 6, 2011 at 3:42 AM, treydock <[email protected]> wrote:
>
> > >>> What settings from the OSSEC server's etc/ossec.conf file are used to
> > >>> on the clients? For example I've defined rules and active responses
> > >>> on my server, and they are working fine, but what about <localfile>
> > >>> items? Is there a way to centrally define what local files an agent
> > >>> should be checking, or would this be the case where something like
> > >>> Puppet comes into play? I have this on my server, and it works, but
> > >>> just realized I probably need to push this to my clients,
>
> > >>> <localfile>
> > >>> <log_format>syslog</log_format>
> > >>> <location>/var/ossec/logs/active-responses.log</location>
> > >>> </localfile>
>
> > >>> Thanks
> > >>> - Trey
>
> > >> --
> > >> MVH/With regards
>
> > >> Frank
> > >> --
> > >> Name: Frank Stefan Sundberg Solli
> > >> E-mail: [email protected]
> > >> Web: http://fssol.blogspot.com
> > >> GPG: 684119F4
