SUCCESS!! Thank you dan. I didn't ever think the ONLY error in my logs could cause that file to not go down to clients..but upon fixing the permissions and restarting both server and agent, the file is there and working.
Would there be a reference to what permissions should be applied to files used by OSSEC? I'd like to verify cause I noticed the default permissions on files seems more permissive than on the server. Something like Puppet could make enforcing the best permissions very easy. Thanks! - Trey On Jun 7, 10:40 am, "dan (ddp)" <[email protected]> wrote: > Just a guess, but chown ossecr /var/ossec/etc/shared/merged.mg > > The following message made me notice that: > 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged > file: '/etc/shared/merged.mg'. > > 11 hours is too long, it shouldn't take more than a couple. > > > > > > > > On Tue, Jun 7, 2011 at 11:26 AM, treydock <[email protected]> wrote: > > I've combed through the other posts on agent.conf, and have done all > > the troubleshooting I could find on why this isn't working. The > > agent.conf file is not being copied to the clients. I'm running OSSEC > > 2.5.1 on all clients and server. > > > Last night ( about 11 hours ago) I added an agent.conf to my central > > server, restarted the server's management processes , and also > > restarted the client process on two clients. One client I removed all > > but the following.. > > > <ossec_config> > > <client> > > <server-ip>128.194.198.99</server-ip> > > </client> > > </ossec_config> > > > One the other client I left the ossec.conf as is. Running checks on > > the server's agent.conf, here's the permissions... > > > ls -la etc/shared/ > > total 180 > > drwxrwx--- 2 root ossec 4096 Jun 6 22:37 . > > dr-xr-x--- 3 root ossec 4096 May 27 09:03 .. > > -r--r----- 1 root ossec 3060 Jun 6 22:37 agent.conf > > -r--r--r-- 1 root ossec 189 Jun 6 23:09 ar.conf > > -r--r----- 1 root ossec 9425 Oct 12 2010 cis_debian_linux_rcl.txt > > -r--r----- 1 root ossec 8123 Oct 12 2010 cis_rhel5_linux_rcl.txt > > -r--r----- 1 root ossec 14181 Oct 12 2010 cis_rhel_linux_rcl.txt > > -rw-r--r-- 1 root ossec 73428 May 7 23:38 merged.mg > > -r--r----- 1 root ossec 14811 Oct 12 2010 rootkit_files.txt > > -r--r----- 1 root ossec 5229 Oct 12 2010 rootkit_trojans.txt > > -r--r----- 1 root ossec 7929 Oct 12 2010 system_audit_rcl.txt > > -r--r----- 1 root ossec 4614 Oct 12 2010 win_applications_rcl.txt > > -r--r----- 1 root ossec 3798 Oct 12 2010 win_audit_rcl.txt > > -r--r----- 1 root ossec 4866 Oct 12 2010 win_malware_rcl.txt > > > I have already ran "verify-agent-conf" with no output sent back > > > $ bin/verify-agent-conf > > $ > > > Here's sample output from when I restart the central server > > > 2011/06/07 10:19:51 ossec-monitord(1225): INFO: SIGNAL Received. Exit > > Cleaning... > > 2011/06/07 10:19:51 ossec-logcollector(1225): INFO: SIGNAL Received. > > Exit Cleaning... > > 2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit > > Cleaning... > > 2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit > > Cleaning... > > 2011/06/07 10:19:51 ossec-analysisd(1225): INFO: SIGNAL Received. Exit > > Cleaning... > > 2011/06/07 10:19:51 ossec-maild(1225): INFO: SIGNAL Received. Exit > > Cleaning... > > 2011/06/07 10:19:51 ossec-execd(1314): INFO: Shutdown received. > > Deleting responses. > > 2011/06/07 10:19:51 ossec-execd(1225): INFO: SIGNAL Received. Exit > > Cleaning... > > 2011/06/07 10:19:51 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit > > Cleaning... > > 2011/06/07 10:19:51 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit > > Cleaning... > > 2011/06/07 10:19:51 ossec-testrule: INFO: Reading local decoder file. > > 2011/06/07 10:19:52 ossec-csyslogd: INFO: Started (pid: 16064). > > 2011/06/07 10:19:52 ossec-csyslogd: INFO: Forwarding alerts via syslog > > to: '0.0.0.0:10002'. > > 2011/06/07 10:19:52 ossec-maild: INFO: Started (pid: 16068). > > 2011/06/07 10:19:52 ossec-execd: INFO: Started (pid: 16072). > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading local decoder file. > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'rules_config.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'pam_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'sshd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'telnetd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'syslog_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'arpwatch_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'symantec-av_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'symantec-ws_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'pix_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'named_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'smbd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'vsftpd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'pure- > > ftpd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'proftpd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'ms_ftpd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'ftpd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'hordeimp_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'roundcube_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'wordpress_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'cimserver_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'vpopmail_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'vmpop3d_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'courier_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'web_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'apache_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'nginx_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'php_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'mysql_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'postgresql_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'ids_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'squid_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'firewall_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'cisco- > > ios_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'netscreenfw_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'sonicwall_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'postfix_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'sendmail_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'imapd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'mailscanner_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'dovecot_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms- > > exchange_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'racoon_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'vpn_concentrator_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'spamd_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'msauth_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'mcafee_av_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'trend- > > osce_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms- > > se_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'zeus_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'solaris_bsm_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'vmware_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'ms_dhcp_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'asterisk_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'ossec_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'attack_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: > > 'local_rules.xml' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Total rules enabled: '1121' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ > > mnttab' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ > > hosts.deny' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mail/ > > statistics' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/random- > > seed' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ > > adjtime' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/ > > logs' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/cups/ > > certs' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ > > dumpdates' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/svc/ > > volatile' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > > System32/LogFiles' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > > Debug' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > > WindowsUpdate.log' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > > iis6.log' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > > system32/wbem/Logs' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > > system32/wbem/Repository' > > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ > > Prefetch' > > 2011/06/07 10:19:52... > > read more »
