Hi, thanks for Your reply. Yes, I am indeed confused, but it is only slightly getting better. But thats probably due to my little knowledge, also. I try to get back inline, also. I mark it with //
On 8 Nov., 14:39, "dan (ddp)" <[email protected]> wrote: > You seem to be incredibly confused. More inline. > > On Tue, Nov 8, 2011 at 6:31 AM, Callcomet G-Mail > <[email protected]> wrote: > > > I send my request to the group again to [email protected] because > > [email protected] doesn't seem to be active. // With which emailadress the group is best contacted?? > > -------- Original-Nachricht -------- > > Betreff: Not getting the combination of agent/server on a VPS > > Datum: Tue, 08 Nov 2011 11:44:31 +0100 > > Von: Callcomet G-Mail <[email protected]> > > Antwort an: [email protected] > > An: [email protected] > > > Hi all, > > I suppose this is a very nice tool so far. I want to do a lot of > > improvement on my VPS security. > > It is sad, that I seem not to understand how to install it. I had a > > similar situation when I installed monit and munin on my last servers, > > everybody on the net is going like: Hey, this easy to install and setup. > > Make step 1 and step 2 and... finished. > > Unfortunately, there were lots of things in between that I simply didnt > > know or understood. > > I live through the same, here in this case. > > > So, maybe one of You might be so kind to help me out, with really steps, > > so I can mange it to get it running on my vps. > > > Requirements: > > VPS running on a hoster, with a debian squeeze and froxlor as admin > > panel. PHP under fcgi. > > The webserver is apache. I have a linux ubuntu 10.04 installed on my > > desktop. My local LAN is not behind a static IP. Simple DSL subscription. > > How do you want your desktop to fit into the OSSEC installation? Are > you just using it to monitor the server? Or do you plan to use it as > an OSSEC agent? > > I'm going to assume the desktop is extra information for now, and ignore it. // Yes, You are right. I have just read it anywhere, that You could monitor it with the desktop machine also and assumed it might be mandatory, this way, when observing a single webserver. > > I would like to run ossec and watch my server. How do I do it? > > > I started first to install server during the installation process. I > > saw, that this could be wrong, because I wasnt prompted to add any agent. > > and /manage_agents didnt prompt me either. > > Nothing will prompt you to add an agent. Assuming you are monitoring > just 1 server though, you don't need to do the server install. A local > install is perfect for monitoring 1 system. // Sorry, but for a beginner, I think it looks that everything regarding ossec is based on an agent/server structure. Also, after installing the WUI I think nothing is working, as far as I don't add an agent. My picture of the whole setup, so far, is: Installation Option server: I dont really get this anyway, but I would think of a server similar to that when You install a VNC for example. Or a ssh like Copssh on a Windows. Anything needs to be server and anything needs to be agent. Server in this case is the machine, where we going to enter on, agent would be the machine entering. I know, this is only an example. But during the documentation, the steps You take are THAT fast, a novice might be drowned fast also. So was I. So, the local install is all I need, I understood. > > So, I have run through setup again after uninstalling it with the bash > > scripthttp://www.ossec.net/wiki/Tweaking_OSSEC > > > Then I have chosen local installation this time. Added www-data to the > > ossec user group. > > Why? // Because it is written in a lot of tutorials. I have to be true, I didnt find any blog/ tutorial talking CLEARLY about an installation on a single webserver. I am still confused. > > > My groups with user look like this: > > ossecm:ossecm : ossec > > ossec:ossec : ossec > > ossecr:ossecr : ossec > > www-data:www-data : www-data ossec > > Achieved by this command line: > > for u in `cut -f1 -d: /etc/passwd`; do echo -n $u:; groups $u; done | sort > > > Started ossec and now with /var/ossec/bin/ossec-control status it says: > > ossec-monitord is running... > > ossec-logcollector is running... > > ossec-syscheckd is running... > > ossec-analysisd is running... > > ossec-maild is running... > > ossec-execd is running... > > > I added an agent now. > local installations do not use agents, it's a server and agent in 1. // But how is the WUI working then? > > > Here I am totally puzzled. > > I would add the agent name and the IP for the agent would be the IP the > > VPS server is running with, correct? > Only if you installed OSSEC on another system. If you went with a > local install on the server, then you don't need to worry about > agents. If you could point me to the part of the documentation that > gave you the impression that you needed an agent with a local install > I'll fix it immediately. // I thought because I am being asked for an IP, I need to setup an IP. Although the installation which I personally wanted to find, didnt cover, IMHO, the detecting of a single webserver, at all. So, I tried to figure out and transfer knowledge from the docs and blogs, to fit my sitation.. Well, we can go through that deeper. I would be happy to hel out if You like, but I think a live communication would be better for this. I cannot point to a part now, because it is an overall picture I got of the whole process. Shall we give each others messengers names? I am available on gtalk, of course. What do You think? > > > ID for agent and good. > > My webUI doesnt show any agent. So does the shell: > > /var/ossec/bin/list_agents -a > > ** No agent available. > > But when I go to the agent manager, it DOES show the agent I added. > > **************************************** > > * OSSEC HIDS v2.6 Agent manager. * > > * The following options are available: * > > **************************************** > > (A)dd an agent (A). > > (E)xtract key for an agent (E). > > (L)ist already added agents (L). > > (R)emove an agent (R). > > (Q)uit. > > Choose your action: A,E,L,R or Q: L > > > Available agents: > > ID: 001, Name: Myagent, IP: My.Se.Rver.IP > > > What the heck is going on? > > > I can't use that agent so far. > > If you did a local install, stop worrying about agents. If I assumed > incorrectly, you need to post more information about your attempted > installation (like which system you installed ossec on). //No, I think You assumed correctly. But am I done now, and is the WUI working with my setup? Local installation and then added an agent which isnt seen? I mean this is another point to talk about, no matter If I need to add an agent or not. I find it most confusing, that the agent isnt seen under list agents. Okay, WUI is a thing i didnt get to work. I am still confused sorry. So, what is need to be done, if I would like to start over new? VPS Server is going to be watched. Where do You think do I get the information from to watch a root/vps, what so ever that is located in the web. A machine, that I only want to observe as is, best with the WUI also. Where do I find? > > What am I doing wrong? > > I would like to have ossec also watch my user logs, that are > > individually located under /var/customers/logs/WEBUSER > > > Is that possible too? > > Yes, that is > possible.http://www.ossec.net/doc/manual/monitoring/index.html#element-localfile // Great, I will have a look into this. Thank You. Thanks in advance for any further help. Lets get on any live communication if You find the time. Cheers. Andre > > Thanks so much in advance for any hint understandable. > > > Cheers. > > Andre
