On Wed, Nov 9, 2011 at 5:17 AM, webass <[email protected]> wrote: > Hi, thanks for Your reply. > Yes, I am indeed confused, but it is only slightly getting better. > But thats probably due to my little knowledge, also. > I try to get back inline, also. I mark it with // > > On 8 Nov., 14:39, "dan (ddp)" <[email protected]> wrote: >> You seem to be incredibly confused. More inline. >> >> On Tue, Nov 8, 2011 at 6:31 AM, Callcomet G-Mail > >> <[email protected]> wrote: >> >> > I send my request to the group again to [email protected] >> > because [email protected] doesn't seem to be active. > > // With which emailadress the group is best contacted?? >
The google groups list is the correct one. >> > -------- Original-Nachricht -------- >> > Betreff: Not getting the combination of agent/server on a VPS >> > Datum: Tue, 08 Nov 2011 11:44:31 +0100 >> > Von: Callcomet G-Mail <[email protected]> >> > Antwort an: [email protected] >> > An: [email protected] >> >> > Hi all, >> > I suppose this is a very nice tool so far. I want to do a lot of >> > improvement on my VPS security. >> > It is sad, that I seem not to understand how to install it. I had a >> > similar situation when I installed monit and munin on my last servers, >> > everybody on the net is going like: Hey, this easy to install and setup. >> > Make step 1 and step 2 and... finished. >> > Unfortunately, there were lots of things in between that I simply didnt >> > know or understood. >> > I live through the same, here in this case. >> >> > So, maybe one of You might be so kind to help me out, with really steps, >> > so I can mange it to get it running on my vps. >> >> > Requirements: >> > VPS running on a hoster, with a debian squeeze and froxlor as admin >> > panel. PHP under fcgi. >> > The webserver is apache. I have a linux ubuntu 10.04 installed on my >> > desktop. My local LAN is not behind a static IP. Simple DSL subscription. >> >> How do you want your desktop to fit into the OSSEC installation? Are >> you just using it to monitor the server? Or do you plan to use it as >> an OSSEC agent? >> >> I'm going to assume the desktop is extra information for now, and ignore it. > > // Yes, You are right. I have just read it anywhere, that You could > monitor it with the desktop machine also and assumed it might be > mandatory, this way, when observing a single webserver. > >> > I would like to run ossec and watch my server. How do I do it? >> >> > I started first to install server during the installation process. I >> > saw, that this could be wrong, because I wasnt prompted to add any agent. >> > and /manage_agents didnt prompt me either. >> >> Nothing will prompt you to add an agent. Assuming you are monitoring >> just 1 server though, you don't need to do the server install. A local >> install is perfect for monitoring 1 system. > > // Sorry, but for a beginner, I think it looks that everything > regarding ossec is based on an agent/server structure. Also, after > installing the WUI I think nothing is working, as far as I don't add > an agent. My picture of the whole setup, so far, is: > Installation Option server: I dont really get this anyway, but I would > think of a server similar to that when You install a VNC for example. > Or a ssh like Copssh on a Windows. Anything needs to be server and > anything needs to be agent. Server in this case is the machine, where > we going to enter on, agent would be the machine entering. I know, > this is only an example. But during the documentation, the steps You > take are THAT fast, a novice might be drowned fast also. So was I. > So, the local install is all I need, I understood. > Servers provide a service. vnc or ssh are services, the server is the system offering those services. Thanks for the heads up though, I'll try to explain this better in the documentation. It'll fit in very well with some new documentation I'm working on. >> > So, I have run through setup again after uninstalling it with the bash >> > scripthttp://www.ossec.net/wiki/Tweaking_OSSEC >> >> > Then I have chosen local installation this time. Added www-data to the >> > ossec user group. >> >> Why? > > // Because it is written in a lot of tutorials. I have to be true, I > didnt find any blog/ tutorial talking CLEARLY about an installation on > a single webserver. I am still confused. > It makes sense if you're installing the WUI. I didn't see that in the initial email. If you aren't using WUI or something similar then this isn't necessary. Generally the webserver does not need permissions to access the OSSEC directories. OSSEC needs permissions to access the webserver logs, and this is taken into account. >> >> > My groups with user look like this: >> > ossecm:ossecm : ossec >> > ossec:ossec : ossec >> > ossecr:ossecr : ossec >> > www-data:www-data : www-data ossec >> > Achieved by this command line: >> > for u in `cut -f1 -d: /etc/passwd`; do echo -n $u:; groups $u; done | sort >> >> > Started ossec and now with /var/ossec/bin/ossec-control status it says: >> > ossec-monitord is running... >> > ossec-logcollector is running... >> > ossec-syscheckd is running... >> > ossec-analysisd is running... >> > ossec-maild is running... >> > ossec-execd is running... >> >> > I added an agent now. >> > local installations do not use agents, it's a server and agent in 1. > > // But how is the WUI working then? It doesn't. It's broken. Everyone who uses it either fixes it for themselves, installs OSSEC 2.5.1 (or earlier), or gives up and moves on. >> >> > Here I am totally puzzled. >> > I would add the agent name and the IP for the agent would be the IP the >> > VPS server is running with, correct? > >> Only if you installed OSSEC on another system. If you went with a >> local install on the server, then you don't need to worry about >> agents. If you could point me to the part of the documentation that >> gave you the impression that you needed an agent with a local install >> I'll fix it immediately. > > // I thought because I am being asked for an IP, I need to setup an > IP. Although the installation which I personally wanted to find, didnt > cover, IMHO, the detecting of a single webserver, at all. So, I tried > to figure out and transfer knowledge from the docs and blogs, to fit > my sitation.. Well, we can go through that deeper. I would be happy to > hel out if You like, but I think a live communication would be better > for this. I cannot point to a part now, because it is an overall > picture I got of the whole process. Shall we give each others > messengers names? I am available on gtalk, of course. What do You > think? > >> >> > ID for agent and good. >> > My webUI doesnt show any agent. So does the shell: >> > /var/ossec/bin/list_agents -a >> > ** No agent available. >> > But when I go to the agent manager, it DOES show the agent I added. >> > **************************************** >> > * OSSEC HIDS v2.6 Agent manager. * >> > * The following options are available: * >> > **************************************** >> > (A)dd an agent (A). >> > (E)xtract key for an agent (E). >> > (L)ist already added agents (L). >> > (R)emove an agent (R). >> > (Q)uit. >> > Choose your action: A,E,L,R or Q: L >> >> > Available agents: >> > ID: 001, Name: Myagent, IP: My.Se.Rver.IP >> >> > What the heck is going on? >> >> > I can't use that agent so far. >> >> If you did a local install, stop worrying about agents. If I assumed >> incorrectly, you need to post more information about your attempted >> installation (like which system you installed ossec on). > > //No, I think You assumed correctly. But am I done now, and is the WUI > working with my setup? Local installation and then added an agent > which isnt seen? > I mean this is another point to talk about, no matter If I need to add > an agent or not. I find it most confusing, that the agent isnt seen > under list agents. Okay, WUI is a thing i didnt get to work. I don't know if a local install will acknowledge an agent at all. So if you have done a local installation an added agent may never "appear." ossec-remoted shouldn't be running, so if an agent is recognized it will never be marked as active. > I am still confused sorry. > So, what is need to be done, if I would like to start over new? > VPS Server is going to be watched. Where do You think do I get the > information from to watch a root/vps, what so ever that is located in > the web. A machine, that I only want to observe as is, best with the > WUI also. > Where do I find? > I will not help with the WUI, but you should be able to do a local install. Afterwards, look at the logfiles that are being monitored (in /var/ossec/etc/ossec.conf) because you may have to add your webserver logs and any other debian specific logs. >> > What am I doing wrong? >> > I would like to have ossec also watch my user logs, that are >> > individually located under /var/customers/logs/WEBUSER >> >> > Is that possible too? >> >> Yes, that is >> possible.http://www.ossec.net/doc/manual/monitoring/index.html#element-localfile > > // Great, I will have a look into this. Thank You. > Thanks in advance for any further help. > > Lets get on any live communication if You find the time. > Cheers. > Andre > >> > Thanks so much in advance for any hint understandable. >> >> > Cheers. >> > Andre
