On Tue, Jul 31, 2012 at 2:11 AM, peace <[email protected]> wrote: > Hello list, > > I have tried many things until I just give up and ask for help. Basically > the centralized agent config not working. > > At agent I remove the etc/shared/agent.conf > > and etc/ossec.conf contains only > > <ossec_config> > <client> > <server-ip>10.200.11.140</server-ip> > </client> > > </ossec_config> > > And in the server configured the shared/agent.conf like this > > <agent_config name="AGENT_NAME"> > <syscheck> > <!-- Frequency that syscheck is executed -- default every 2 hours --> > <frequency>7200</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > <!-- Files/directories to ignore --> > <ignore>/etc/mtab</ignore> > <ignore>/etc/hosts.deny</ignore> > <ignore>/etc/mail/statistics</ignore> > <ignore>/etc/random-seed</ignore> > <ignore>/etc/adjtime</ignore> > <ignore>/etc/httpd/logs</ignore> > </syscheck> > > <rootcheck> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > </rootcheck> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > </agent_config> > > Restart server, restart agent and see the config is not pushed to agent at > all > > 2012/07/31 15:57:42 ossec-agentd: INFO: Started (pid: 28779). > 2012/07/31 15:57:42 ossec-agentd: INFO: Server IP Address: 10.200.11.140 > 2012/07/31 15:57:42 ossec-agentd: INFO: Trying to connect to server > (10.200.11.140:1514). > 2012/07/31 15:57:42 ossec-agentd: INFO: Using IPv4 for: 10.200.11.140 . > 2012/07/31 15:57:42 ossec-logcollector(1905): INFO: No file configured to > monitor. > 2012/07/31 15:57:42 ossec-syscheckd(1702): INFO: No directory provided for > syscheck to monitor. > 2012/07/31 15:57:42 ossec-syscheckd: WARN: Syscheck disabled. > 2012/07/31 15:57:42 ossec-rootcheck: System audit file not configured. > 2012/07/31 15:57:43 ossec-agentd(4102): INFO: Connected to the server > (10.200.11.140:1514). > 2012/07/31 15:57:46 ossec-syscheckd: INFO: Started (pid: 28787). > 2012/07/31 15:57:46 ossec-rootcheck: INFO: Started (pid: 28787). > 2012/07/31 15:57:48 ossec-logcollector: INFO: Started (pid: 28783). > 2012/07/31 15:59:20 ossec-rootcheck: INFO: Starting rootcheck scan. > 2012/07/31 15:59:20 ossec-rootcheck: No rootcheck_files file configured. > 2012/07/31 15:59:20 ossec-rootcheck: No rootcheck_trojans file configured. > 2012/07/31 16:00:13 ossec-rootcheck: INFO: Ending rootcheck scan. > > The the redhat installed version from AtomiCorp repository I even can not > restart the agent from server. and same no config is pushed to client. Then > I downloaded tar ball and extarct, run install.sh build etc.. - this is a > bit better that I can restart agent from the server. Again, config is not > pushed to agent. > > Please help > > >
How long did you wait? It can sometimes take a while. Also, check the permissions. Try creating the file (or copying it over) and making sure the permissions are correct so it can be overwritten.
