Hi guys, I'm pretty new to OSSEC and running in problems getting a centralized configuration done.
I'm running OSSEC-Server on a CentOS 6.2 box and OSSEC-Agent on a Ubuntu 12.04 box. Everything is working fine so far (only plain installation and connecting the agent to the server). Here comes the trouble: I changed the host-deny and firewall-drop commands inside the ossec.conf of the server to location "all". As I understand it, this means that i.e. if somebody is bruteforcing the sshd running on the agent, the host-deny and firewall-drop active responses should trigger both on the agent and the server. I my case, this doesn't work. I can see the sshd bruteforce attack inside the logs on the server, so the connection between agent and server works, but only the agent which was under attack blocked the ip via iptables and host.deny, and not the server. As I understand it, the agent uses the ossec.conf and *_rules.xml files from the server?!?! I my case, the server config file has the following md5sum: 1dd21647768bd23ac2a83e62adbbc0ca ossec.conf The agent is using a different one: OSSEC HIDS agent_control. Agent information: Agent ID: 001 Agent Name: Client1 IP address: 10.17.0.15 Status: Active Operating system: Linux testing 3.2.0-22-generic-pae #35-Ubuntu SMP Tu.. Client version: OSSEC HIDS v2.6 / 77843f5c451af0a872a5e4733655aa1e Last keep alive: Wed Apr 25 14:55:16 2012 Syscheck last started at: Wed Apr 25 14:30:15 2012 Rootcheck last started at: Wed Apr 25 14:40:43 2012 This one is located under ../shared/agent.conf on the server: 77843f5c451af0a872a5e4733655aa1e shared/agent.conf The OSSEC documentation says that I can push a centralized configuration from the server to the agent, by creating the file ../shared/agent.conf. In my case, this file already exists and contains a perl script. I'm stuck. So, how can I use a centralized set of rules that I created in the local_rules.xml on the server and push it to the agent and how can an alarm on of the agents can be triggered on all agents connecting to the same server? I would really appreciate if anybody could help me out with this, because OSSEC seems to be really nice! Best regards, _joern_
