You seem to be incredibly confused. More inline. On Tue, Nov 8, 2011 at 6:31 AM, Callcomet G-Mail <[email protected]> wrote: > > I send my request to the group again to [email protected] because > [email protected] doesn't seem to be active. > > -------- Original-Nachricht -------- > Betreff: Not getting the combination of agent/server on a VPS > Datum: Tue, 08 Nov 2011 11:44:31 +0100 > Von: Callcomet G-Mail <[email protected]> > Antwort an: [email protected] > An: [email protected] > > Hi all, > I suppose this is a very nice tool so far. I want to do a lot of > improvement on my VPS security. > It is sad, that I seem not to understand how to install it. I had a > similar situation when I installed monit and munin on my last servers, > everybody on the net is going like: Hey, this easy to install and setup. > Make step 1 and step 2 and... finished. > Unfortunately, there were lots of things in between that I simply didnt > know or understood. > I live through the same, here in this case. > > So, maybe one of You might be so kind to help me out, with really steps, > so I can mange it to get it running on my vps. > > Requirements: > VPS running on a hoster, with a debian squeeze and froxlor as admin > panel. PHP under fcgi. > The webserver is apache. I have a linux ubuntu 10.04 installed on my > desktop. My local LAN is not behind a static IP. Simple DSL subscription.
How do you want your desktop to fit into the OSSEC installation? Are you just using it to monitor the server? Or do you plan to use it as an OSSEC agent? I'm going to assume the desktop is extra information for now, and ignore it. > I would like to run ossec and watch my server. How do I do it? > > I started first to install server during the installation process. I > saw, that this could be wrong, because I wasnt prompted to add any agent. > and /manage_agents didnt prompt me either. Nothing will prompt you to add an agent. Assuming you are monitoring just 1 server though, you don't need to do the server install. A local install is perfect for monitoring 1 system. > So, I have run through setup again after uninstalling it with the bash > script http://www.ossec.net/wiki/Tweaking_OSSEC > > Then I have chosen local installation this time. Added www-data to the > ossec user group. Why? > My groups with user look like this: > ossecm:ossecm : ossec > ossec:ossec : ossec > ossecr:ossecr : ossec > www-data:www-data : www-data ossec > Achieved by this command line: > for u in `cut -f1 -d: /etc/passwd`; do echo -n $u:; groups $u; done | sort > > > Started ossec and now with /var/ossec/bin/ossec-control status it says: > ossec-monitord is running... > ossec-logcollector is running... > ossec-syscheckd is running... > ossec-analysisd is running... > ossec-maild is running... > ossec-execd is running... > > I added an agent now. local installations do not use agents, it's a server and agent in 1. > Here I am totally puzzled. > I would add the agent name and the IP for the agent would be the IP the > VPS server is running with, correct? > Only if you installed OSSEC on another system. If you went with a local install on the server, then you don't need to worry about agents. If you could point me to the part of the documentation that gave you the impression that you needed an agent with a local install I'll fix it immediately. > ID for agent and good. > My webUI doesnt show any agent. So does the shell: > /var/ossec/bin/list_agents -a > ** No agent available. > But when I go to the agent manager, it DOES show the agent I added. > **************************************** > * OSSEC HIDS v2.6 Agent manager. * > * The following options are available: * > **************************************** > (A)dd an agent (A). > (E)xtract key for an agent (E). > (L)ist already added agents (L). > (R)emove an agent (R). > (Q)uit. > Choose your action: A,E,L,R or Q: L > > Available agents: > ID: 001, Name: Myagent, IP: My.Se.Rver.IP > > What the heck is going on? > > I can't use that agent so far. > If you did a local install, stop worrying about agents. If I assumed incorrectly, you need to post more information about your attempted installation (like which system you installed ossec on). > What am I doing wrong? > I would like to have ossec also watch my user logs, that are > individually located under /var/customers/logs/WEBUSER > > Is that possible too? > Yes, that is possible. http://www.ossec.net/doc/manual/monitoring/index.html#element-localfile > > Thanks so much in advance for any hint understandable. > > Cheers. > Andre > > > >
