Just a guess, but chown ossecr /var/ossec/etc/shared/merged.mg The following message made me notice that: 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged file: '/etc/shared/merged.mg'.
11 hours is too long, it shouldn't take more than a couple. On Tue, Jun 7, 2011 at 11:26 AM, treydock <[email protected]> wrote: > I've combed through the other posts on agent.conf, and have done all > the troubleshooting I could find on why this isn't working. The > agent.conf file is not being copied to the clients. I'm running OSSEC > 2.5.1 on all clients and server. > > Last night ( about 11 hours ago) I added an agent.conf to my central > server, restarted the server's management processes , and also > restarted the client process on two clients. One client I removed all > but the following.. > > <ossec_config> > <client> > <server-ip>128.194.198.99</server-ip> > </client> > </ossec_config> > > One the other client I left the ossec.conf as is. Running checks on > the server's agent.conf, here's the permissions... > > > ls -la etc/shared/ > total 180 > drwxrwx--- 2 root ossec 4096 Jun 6 22:37 . > dr-xr-x--- 3 root ossec 4096 May 27 09:03 .. > -r--r----- 1 root ossec 3060 Jun 6 22:37 agent.conf > -r--r--r-- 1 root ossec 189 Jun 6 23:09 ar.conf > -r--r----- 1 root ossec 9425 Oct 12 2010 cis_debian_linux_rcl.txt > -r--r----- 1 root ossec 8123 Oct 12 2010 cis_rhel5_linux_rcl.txt > -r--r----- 1 root ossec 14181 Oct 12 2010 cis_rhel_linux_rcl.txt > -rw-r--r-- 1 root ossec 73428 May 7 23:38 merged.mg > -r--r----- 1 root ossec 14811 Oct 12 2010 rootkit_files.txt > -r--r----- 1 root ossec 5229 Oct 12 2010 rootkit_trojans.txt > -r--r----- 1 root ossec 7929 Oct 12 2010 system_audit_rcl.txt > -r--r----- 1 root ossec 4614 Oct 12 2010 win_applications_rcl.txt > -r--r----- 1 root ossec 3798 Oct 12 2010 win_audit_rcl.txt > -r--r----- 1 root ossec 4866 Oct 12 2010 win_malware_rcl.txt > > > I have already ran "verify-agent-conf" with no output sent back > > > $ bin/verify-agent-conf > $ > > Here's sample output from when I restart the central server > > > 2011/06/07 10:19:51 ossec-monitord(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/06/07 10:19:51 ossec-logcollector(1225): INFO: SIGNAL Received. > Exit Cleaning... > 2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/06/07 10:19:51 ossec-analysisd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/06/07 10:19:51 ossec-maild(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/06/07 10:19:51 ossec-execd(1314): INFO: Shutdown received. > Deleting responses. > 2011/06/07 10:19:51 ossec-execd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/06/07 10:19:51 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/06/07 10:19:51 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > Cleaning... > 2011/06/07 10:19:51 ossec-testrule: INFO: Reading local decoder file. > 2011/06/07 10:19:52 ossec-csyslogd: INFO: Started (pid: 16064). > 2011/06/07 10:19:52 ossec-csyslogd: INFO: Forwarding alerts via syslog > to: '0.0.0.0:10002'. > 2011/06/07 10:19:52 ossec-maild: INFO: Started (pid: 16068). > 2011/06/07 10:19:52 ossec-execd: INFO: Started (pid: 16072). > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading local decoder file. > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'rules_config.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'pam_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'sshd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'telnetd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'syslog_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'arpwatch_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'symantec-av_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'symantec-ws_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'pix_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'named_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'smbd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'vsftpd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'pure- > ftpd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'proftpd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'ms_ftpd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'ftpd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'hordeimp_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'roundcube_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'wordpress_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'cimserver_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'vpopmail_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'vmpop3d_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'courier_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'web_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'apache_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'nginx_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'php_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'mysql_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'postgresql_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'ids_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'squid_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'firewall_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'cisco- > ios_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'netscreenfw_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'sonicwall_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'postfix_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'sendmail_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'imapd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'mailscanner_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'dovecot_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms- > exchange_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'racoon_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'vpn_concentrator_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'spamd_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'msauth_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'mcafee_av_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'trend- > osce_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms- > se_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'zeus_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'solaris_bsm_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'vmware_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'ms_dhcp_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'asterisk_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'ossec_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'attack_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Total rules enabled: '1121' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ > mnttab' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ > hosts.deny' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mail/ > statistics' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/random- > seed' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ > adjtime' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/ > logs' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/cups/ > certs' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ > dumpdates' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/svc/ > volatile' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > System32/LogFiles' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Debug' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > WindowsUpdate.log' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > iis6.log' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/wbem/Logs' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/wbem/Repository' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Prefetch' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > PCHEALTH/HELPCTR/DataColl' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > SoftwareDistribution' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > Temp' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/config' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/spool' > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > system32/CatRoot' > 2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: > '127.0.0.1' > 2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0' > 2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0' > 2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0' > 2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0' > 2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0' > 2011/06/07 10:19:52 ossec-analysisd: INFO: White listing IP: '0.0.0.0' > 2011/06/07 10:19:52 ossec-analysisd: INFO: 7 IPs in the white list for > active response. > 2011/06/07 10:19:52 ossec-analysisd: INFO: White listing Hostname: > 'localhost.localdomain' > 2011/06/07 10:19:52 ossec-analysisd: INFO: 1 Hostname(s) in the white > list for active response. > 2011/06/07 10:19:52 ossec-analysisd: INFO: Started (pid: 16078). > 2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16086). > 2011/06/07 10:19:52 ossec-remoted: Remote syslog allowed from: > '0.0.0.0' > 2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16087). > 2011/06/07 10:19:52 ossec-remoted: INFO: Started (pid: 16088). > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > 2011/06/07 10:19:52 ossec-remoted(4111): INFO: Maximum number of > agents allowed: '256'. > 2011/06/07 10:19:52 ossec-remoted(1410): INFO: Reading authentication > keys file. > 2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent > client1: '29:7341'. > 2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent > client2: '43:5553'. > 2011/06/07 10:19:52 ossec-remoted: INFO: Assigning counter for agent > client3: '98:8938'. > 2011/06/07 10:19:52 ossec-remoted: INFO: Assigning sender counter: > 4:5509 > 2011/06/07 10:19:52 ossec-monitord: INFO: Started (pid: 16098). > 2011/06/07 10:19:55 ossec-analysisd: INFO: Connected to '/queue/alerts/ > ar' (active-response queue) > 2011/06/07 10:19:55 ossec-analysisd: INFO: Connected to '/queue/alerts/ > execq' (exec queue) > 2011/06/07 10:19:56 ossec-syscheckd: INFO: Started (pid: 16094). > 2011/06/07 10:19:56 ossec-rootcheck: INFO: Started (pid: 16094). > 2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/ > etc'. > 2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > bin'. > 2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/usr/ > sbin'. > 2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/ > bin'. > 2011/06/07 10:19:56 ossec-syscheckd: INFO: Monitoring directory: '/ > sbin'. > 2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/messages'. > 2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/secure'. > 2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/maillog'. > 2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/httpd/error_log'. > 2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/log/httpd/access_log'. > 2011/06/07 10:19:58 ossec-logcollector(1950): INFO: Analyzing file: '/ > var/ossec/logs/active-responses.log'. > 2011/06/07 10:19:58 ossec-logcollector: INFO: Started (pid: 16082). > > > Here are the permissions on one of the client's "etc/shared" directory > > > # ls -la etc/shared/ > total 176 > drwxrwx--- 2 root ossec 4096 Mar 15 16:05 . > dr-xr-x--- 3 root ossec 4096 Jun 6 22:24 .. > -rw-r--r-- 1 ossec ossec 189 May 7 18:44 ar.conf > -rwxrwx--- 1 root ossec 9425 May 7 18:44 cis_debian_linux_rcl.txt > -rwxrwx--- 1 root ossec 8123 May 7 18:44 cis_rhel5_linux_rcl.txt > -rwxrwx--- 1 root ossec 14181 May 7 18:44 cis_rhel_linux_rcl.txt > -rw-r--r-- 1 ossec ossec 73428 May 7 18:44 merged.mg > -rwxrwx--- 1 root ossec 14811 May 7 18:44 rootkit_files.txt > -rwxrwx--- 1 root ossec 5229 May 7 18:44 rootkit_trojans.txt > -rwxrwx--- 1 root ossec 7929 May 7 18:44 system_audit_rcl.txt > -rwxrwx--- 1 root ossec 4614 May 7 18:44 win_applications_rcl.txt > -rwxrwx--- 1 root ossec 3798 May 7 18:44 win_audit_rcl.txt > -rwxrwx--- 1 root ossec 4866 May 7 18:44 win_malware_rcl.txt > > > Here's the server's output info about one of the agents...note the > missing md5sum mentioned in the documentation... > > $ bin/agent_control -i 003 > > OSSEC HIDS agent_control. Agent information: > Agent ID: 003 > Agent Name: client1 > IP address: 0.0.0.0 > Status: Active > > Operating system: Linux client1 2.6.18-194.32.1.el5 #1 SMP W.. > Client version: OSSEC HIDS v2.5.1 > Last keep alive: Tue Jun 7 10:21:36 2011 > > Syscheck last started at: Mon Jun 6 22:24:10 2011 > Rootcheck last started at: Mon Jun 6 17:19:43 2011 > > > Any suggestions?? > > Thanks! > - Trey
