There isn't a reference currently, but it's a good idea.
On Tue, Jun 7, 2011 at 4:25 PM, treydock <[email protected]> wrote: > SUCCESS!! Thank you dan. I didn't ever think the ONLY error in my > logs could cause that file to not go down to clients..but upon fixing > the permissions and restarting both server and agent, the file is > there and working. > > Would there be a reference to what permissions should be applied to > files used by OSSEC? I'd like to verify cause I noticed the default > permissions on files seems more permissive than on the server. > Something like Puppet could make enforcing the best permissions very > easy. > > Thanks! > - Trey > > On Jun 7, 10:40 am, "dan (ddp)" <[email protected]> wrote: >> Just a guess, but chown ossecr /var/ossec/etc/shared/merged.mg >> >> The following message made me notice that: >> 2011/06/07 10:19:52 ossec-remoted: ERROR: Unable to create merged >> file: '/etc/shared/merged.mg'. >> >> 11 hours is too long, it shouldn't take more than a couple. >> >> >> >> >> >> >> >> On Tue, Jun 7, 2011 at 11:26 AM, treydock <[email protected]> wrote: >> > I've combed through the other posts on agent.conf, and have done all >> > the troubleshooting I could find on why this isn't working. The >> > agent.conf file is not being copied to the clients. I'm running OSSEC >> > 2.5.1 on all clients and server. >> >> > Last night ( about 11 hours ago) I added an agent.conf to my central >> > server, restarted the server's management processes , and also >> > restarted the client process on two clients. One client I removed all >> > but the following.. >> >> > <ossec_config> >> > <client> >> > <server-ip>128.194.198.99</server-ip> >> > </client> >> > </ossec_config> >> >> > One the other client I left the ossec.conf as is. Running checks on >> > the server's agent.conf, here's the permissions... >> >> > ls -la etc/shared/ >> > total 180 >> > drwxrwx--- 2 root ossec 4096 Jun 6 22:37 . >> > dr-xr-x--- 3 root ossec 4096 May 27 09:03 .. >> > -r--r----- 1 root ossec 3060 Jun 6 22:37 agent.conf >> > -r--r--r-- 1 root ossec 189 Jun 6 23:09 ar.conf >> > -r--r----- 1 root ossec 9425 Oct 12 2010 cis_debian_linux_rcl.txt >> > -r--r----- 1 root ossec 8123 Oct 12 2010 cis_rhel5_linux_rcl.txt >> > -r--r----- 1 root ossec 14181 Oct 12 2010 cis_rhel_linux_rcl.txt >> > -rw-r--r-- 1 root ossec 73428 May 7 23:38 merged.mg >> > -r--r----- 1 root ossec 14811 Oct 12 2010 rootkit_files.txt >> > -r--r----- 1 root ossec 5229 Oct 12 2010 rootkit_trojans.txt >> > -r--r----- 1 root ossec 7929 Oct 12 2010 system_audit_rcl.txt >> > -r--r----- 1 root ossec 4614 Oct 12 2010 win_applications_rcl.txt >> > -r--r----- 1 root ossec 3798 Oct 12 2010 win_audit_rcl.txt >> > -r--r----- 1 root ossec 4866 Oct 12 2010 win_malware_rcl.txt >> >> > I have already ran "verify-agent-conf" with no output sent back >> >> > $ bin/verify-agent-conf >> > $ >> >> > Here's sample output from when I restart the central server >> >> > 2011/06/07 10:19:51 ossec-monitord(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2011/06/07 10:19:51 ossec-logcollector(1225): INFO: SIGNAL Received. >> > Exit Cleaning... >> > 2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2011/06/07 10:19:51 ossec-remoted(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2011/06/07 10:19:51 ossec-analysisd(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2011/06/07 10:19:51 ossec-maild(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2011/06/07 10:19:51 ossec-execd(1314): INFO: Shutdown received. >> > Deleting responses. >> > 2011/06/07 10:19:51 ossec-execd(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2011/06/07 10:19:51 ossec-csyslogd(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2011/06/07 10:19:51 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit >> > Cleaning... >> > 2011/06/07 10:19:51 ossec-testrule: INFO: Reading local decoder file. >> > 2011/06/07 10:19:52 ossec-csyslogd: INFO: Started (pid: 16064). >> > 2011/06/07 10:19:52 ossec-csyslogd: INFO: Forwarding alerts via syslog >> > to: '0.0.0.0:10002'. >> > 2011/06/07 10:19:52 ossec-maild: INFO: Started (pid: 16068). >> > 2011/06/07 10:19:52 ossec-execd: INFO: Started (pid: 16072). >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading local decoder file. >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'rules_config.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'pam_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'sshd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'telnetd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'syslog_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'arpwatch_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'symantec-av_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'symantec-ws_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'pix_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'named_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'smbd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'vsftpd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'pure- >> > ftpd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'proftpd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'ms_ftpd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'ftpd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'hordeimp_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'roundcube_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'wordpress_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'cimserver_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'vpopmail_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'vmpop3d_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'courier_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'web_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'apache_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'nginx_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'php_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'mysql_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'postgresql_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'ids_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'squid_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'firewall_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'cisco- >> > ios_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'netscreenfw_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'sonicwall_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'postfix_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'sendmail_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'imapd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'mailscanner_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'dovecot_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms- >> > exchange_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'racoon_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'vpn_concentrator_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'spamd_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'msauth_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'mcafee_av_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'trend- >> > osce_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: 'ms- >> > se_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'zeus_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'solaris_bsm_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'vmware_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'ms_dhcp_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'asterisk_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'ossec_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'attack_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Reading rules file: >> > 'local_rules.xml' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Total rules enabled: '1121' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ >> > mnttab' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ >> > hosts.deny' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/mail/ >> > statistics' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/random- >> > seed' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ >> > adjtime' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/ >> > logs' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/cups/ >> > certs' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/ >> > dumpdates' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: '/etc/svc/ >> > volatile' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ >> > System32/LogFiles' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ >> > Debug' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ >> > WindowsUpdate.log' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ >> > iis6.log' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ >> > system32/wbem/Logs' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ >> > system32/wbem/Repository' >> > 2011/06/07 10:19:52 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ >> > Prefetch' >> > 2011/06/07 10:19:52... >> >> read more »
