Reg, the rootcheck errors are probably cause your missing some
files...I have these by default after install from source...


# ls -la etc/shared/
total 176
drwxrwx--- 2 root  ossec  4096 Mar 15 16:05 .
dr-xr-x--- 3 root  ossec  4096 Jun  6 22:24 ..
-rw-r--r-- 1 ossec ossec   189 May  7 18:44 ar.conf
-rwxrwx--- 1 root  ossec  9425 May  7 18:44 cis_debian_linux_rcl.txt
-rwxrwx--- 1 root  ossec  8123 May  7 18:44 cis_rhel5_linux_rcl.txt
-rwxrwx--- 1 root  ossec 14181 May  7 18:44 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossec ossec 73428 May  7 18:44 merged.mg
-rwxrwx--- 1 root  ossec 14811 May  7 18:44 rootkit_files.txt
-rwxrwx--- 1 root  ossec  5229 May  7 18:44 rootkit_trojans.txt
-rwxrwx--- 1 root  ossec  7929 May  7 18:44 system_audit_rcl.txt
-rwxrwx--- 1 root  ossec  4614 May  7 18:44 win_applications_rcl.txt
-rwxrwx--- 1 root  ossec  3798 May  7 18:44 win_audit_rcl.txt
-rwxrwx--- 1 root  ossec  4866 May  7 18:44 win_malware_rcl.txt


On Jun 7, 9:35 am, reg <[email protected]> wrote:
> Christopher,
>
> I am curious how you got this to work. I get all sorts of errors
> trying that.
>
> 2011/06/07 13:28:22 ossec-syscheckd(1702): INFO: No directory provided
> for syscheck to monitor.
> 2011/06/07 13:28:22 ossec-syscheckd: WARN: Syscheck disabled.
> 2011/06/07 13:28:22 ossec-rootcheck: System audit file not configured.
> 2011/06/07 13:28:23 ossec-agentd(4102): INFO: Connected to the server
> (x.x.x.x:1514).
> 2011/06/07 13:28:26 ossec-syscheckd: INFO: Started (pid: 13684).
> 2011/06/07 13:28:26 ossec-rootcheck: INFO: Started (pid: 13684).
> 2011/06/07 13:28:28 ossec-logcollector: INFO: Started (pid: 13680).
> 2011/06/07 13:30:00 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_files file
> configured.
> 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_trojans file
> configured.
> 2011/06/07 13:42:27 ossec-rootcheck: INFO: Ending rootcheck scan.
> 2011/06/07 13:47:27 ossec-syscheckd(1105): ERROR: Attempted to use
> null string.
> 2011/06/07 14:02:49 ossec-syscheckd(1105): ERROR: Attempted to use
> null string.
> 2011/06/07 14:18:11 ossec-syscheckd(1105): ERROR: Attempted to use
> null string.
>
> I would prefer only having the IP address in the ossec.conf file.
>
> -Reggie
>
> On Jun 6, 2:03 pm, "dan (ddp)" <[email protected]> wrote:
>
>
>
>
>
>
>
> > When there's a conflict the agent's ossec.conf is generally used. I
> > find it's best to remove everything except the server-ip setting from
> > the agent ossec.conf files.
>
> > On Mon, Jun 6, 2011 at 8:50 AM, Christopher Moraes
>
> > <[email protected]> wrote:
> > > Hi Frank,
> > > If I create an agent.conf file on the server, will it overwrite the 
> > > settings
> > > of the agent's local ossec.conf or are the two configs merged in some way?
>
> > > On Mon, Jun 6, 2011 at 6:29 AM, Frank Stefan Sundberg Solli
> > > <[email protected]> wrote:
>
> > >> Hi.
>
> > >> The file can be found in shared/agent.conf
>
> > >> On Mon, Jun 6, 2011 at 3:42 AM, treydock <[email protected]> wrote:
>
> > >>> What settings from the OSSEC server's etc/ossec.conf file are used to
> > >>> on the clients?  For example I've defined rules and active responses
> > >>> on my server, and they are working fine, but what about <localfile>
> > >>> items?  Is there a way to centrally define what local files an agent
> > >>> should be checking, or would this be the case where something like
> > >>> Puppet comes into play?  I have this on my server, and it works, but
> > >>> just realized I probably need to push this to my clients,
>
> > >>>  <localfile>
> > >>>    <log_format>syslog</log_format>
> > >>>    <location>/var/ossec/logs/active-responses.log</location>
> > >>>  </localfile>
>
> > >>> Thanks
> > >>> - Trey
>
> > >> --
> > >> MVH/With regards
>
> > >> Frank
> > >> --
> > >> Name:         Frank Stefan Sundberg Solli
> > >> E-mail:         [email protected]
> > >> Web:            http://fssol.blogspot.com
> > >> GPG:            684119F4

Reply via email to