Reg, the rootcheck errors are probably cause your missing some files...I have these by default after install from source...
# ls -la etc/shared/ total 176 drwxrwx--- 2 root ossec 4096 Mar 15 16:05 . dr-xr-x--- 3 root ossec 4096 Jun 6 22:24 .. -rw-r--r-- 1 ossec ossec 189 May 7 18:44 ar.conf -rwxrwx--- 1 root ossec 9425 May 7 18:44 cis_debian_linux_rcl.txt -rwxrwx--- 1 root ossec 8123 May 7 18:44 cis_rhel5_linux_rcl.txt -rwxrwx--- 1 root ossec 14181 May 7 18:44 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossec ossec 73428 May 7 18:44 merged.mg -rwxrwx--- 1 root ossec 14811 May 7 18:44 rootkit_files.txt -rwxrwx--- 1 root ossec 5229 May 7 18:44 rootkit_trojans.txt -rwxrwx--- 1 root ossec 7929 May 7 18:44 system_audit_rcl.txt -rwxrwx--- 1 root ossec 4614 May 7 18:44 win_applications_rcl.txt -rwxrwx--- 1 root ossec 3798 May 7 18:44 win_audit_rcl.txt -rwxrwx--- 1 root ossec 4866 May 7 18:44 win_malware_rcl.txt On Jun 7, 9:35 am, reg <[email protected]> wrote: > Christopher, > > I am curious how you got this to work. I get all sorts of errors > trying that. > > 2011/06/07 13:28:22 ossec-syscheckd(1702): INFO: No directory provided > for syscheck to monitor. > 2011/06/07 13:28:22 ossec-syscheckd: WARN: Syscheck disabled. > 2011/06/07 13:28:22 ossec-rootcheck: System audit file not configured. > 2011/06/07 13:28:23 ossec-agentd(4102): INFO: Connected to the server > (x.x.x.x:1514). > 2011/06/07 13:28:26 ossec-syscheckd: INFO: Started (pid: 13684). > 2011/06/07 13:28:26 ossec-rootcheck: INFO: Started (pid: 13684). > 2011/06/07 13:28:28 ossec-logcollector: INFO: Started (pid: 13680). > 2011/06/07 13:30:00 ossec-rootcheck: INFO: Starting rootcheck scan. > 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_files file > configured. > 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_trojans file > configured. > 2011/06/07 13:42:27 ossec-rootcheck: INFO: Ending rootcheck scan. > 2011/06/07 13:47:27 ossec-syscheckd(1105): ERROR: Attempted to use > null string. > 2011/06/07 14:02:49 ossec-syscheckd(1105): ERROR: Attempted to use > null string. > 2011/06/07 14:18:11 ossec-syscheckd(1105): ERROR: Attempted to use > null string. > > I would prefer only having the IP address in the ossec.conf file. > > -Reggie > > On Jun 6, 2:03 pm, "dan (ddp)" <[email protected]> wrote: > > > > > > > > > When there's a conflict the agent's ossec.conf is generally used. I > > find it's best to remove everything except the server-ip setting from > > the agent ossec.conf files. > > > On Mon, Jun 6, 2011 at 8:50 AM, Christopher Moraes > > > <[email protected]> wrote: > > > Hi Frank, > > > If I create an agent.conf file on the server, will it overwrite the > > > settings > > > of the agent's local ossec.conf or are the two configs merged in some way? > > > > On Mon, Jun 6, 2011 at 6:29 AM, Frank Stefan Sundberg Solli > > > <[email protected]> wrote: > > > >> Hi. > > > >> The file can be found in shared/agent.conf > > > >> On Mon, Jun 6, 2011 at 3:42 AM, treydock <[email protected]> wrote: > > > >>> What settings from the OSSEC server's etc/ossec.conf file are used to > > >>> on the clients? For example I've defined rules and active responses > > >>> on my server, and they are working fine, but what about <localfile> > > >>> items? Is there a way to centrally define what local files an agent > > >>> should be checking, or would this be the case where something like > > >>> Puppet comes into play? I have this on my server, and it works, but > > >>> just realized I probably need to push this to my clients, > > > >>> <localfile> > > >>> <log_format>syslog</log_format> > > >>> <location>/var/ossec/logs/active-responses.log</location> > > >>> </localfile> > > > >>> Thanks > > >>> - Trey > > > >> -- > > >> MVH/With regards > > > >> Frank > > >> -- > > >> Name: Frank Stefan Sundberg Solli > > >> E-mail: [email protected] > > >> Web: http://fssol.blogspot.com > > >> GPG: 684119F4
