I did it and restart the server first and the client later. Should it be picked up right away ?
I already checked permission. Not sure which process read the etc/shared/agent.conf though as some process is run by root, other run by ossec user (not remembered exactly the name as I am currently off work, so no access to server). The permissions is user,group readable. Not really sure what exactly the mode it should be and ownership of it though. Should I chmod 666 it ? On Tue, Jul 31, 2012 at 9:21 PM, dan (ddp) <[email protected]> wrote: > On Tue, Jul 31, 2012 at 2:11 AM, peace <[email protected]> wrote: > > Hello list, > > > > I have tried many things until I just give up and ask for help. Basically > > the centralized agent config not working. > > > > At agent I remove the etc/shared/agent.conf > > > > and etc/ossec.conf contains only > > > > <ossec_config> > > <client> > > <server-ip>10.200.11.140</server-ip> > > </client> > > > > </ossec_config> > > > > And in the server configured the shared/agent.conf like this > > > > <agent_config name="AGENT_NAME"> > > <syscheck> > > <!-- Frequency that syscheck is executed -- default every 2 hours --> > > <frequency>7200</frequency> > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > > > <!-- Files/directories to ignore --> > > <ignore>/etc/mtab</ignore> > > <ignore>/etc/hosts.deny</ignore> > > <ignore>/etc/mail/statistics</ignore> > > <ignore>/etc/random-seed</ignore> > > <ignore>/etc/adjtime</ignore> > > <ignore>/etc/httpd/logs</ignore> > > </syscheck> > > > > <rootcheck> > > > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> > > > > > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> > > </rootcheck> > > > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/messages</location> > > </localfile> > > > > </agent_config> > > > > Restart server, restart agent and see the config is not pushed to agent > at > > all > > > > 2012/07/31 15:57:42 ossec-agentd: INFO: Started (pid: 28779). > > 2012/07/31 15:57:42 ossec-agentd: INFO: Server IP Address: 10.200.11.140 > > 2012/07/31 15:57:42 ossec-agentd: INFO: Trying to connect to server > > (10.200.11.140:1514). > > 2012/07/31 15:57:42 ossec-agentd: INFO: Using IPv4 for: 10.200.11.140 . > > 2012/07/31 15:57:42 ossec-logcollector(1905): INFO: No file configured to > > monitor. > > 2012/07/31 15:57:42 ossec-syscheckd(1702): INFO: No directory provided > for > > syscheck to monitor. > > 2012/07/31 15:57:42 ossec-syscheckd: WARN: Syscheck disabled. > > 2012/07/31 15:57:42 ossec-rootcheck: System audit file not configured. > > 2012/07/31 15:57:43 ossec-agentd(4102): INFO: Connected to the server > > (10.200.11.140:1514). > > 2012/07/31 15:57:46 ossec-syscheckd: INFO: Started (pid: 28787). > > 2012/07/31 15:57:46 ossec-rootcheck: INFO: Started (pid: 28787). > > 2012/07/31 15:57:48 ossec-logcollector: INFO: Started (pid: 28783). > > 2012/07/31 15:59:20 ossec-rootcheck: INFO: Starting rootcheck scan. > > 2012/07/31 15:59:20 ossec-rootcheck: No rootcheck_files file configured. > > 2012/07/31 15:59:20 ossec-rootcheck: No rootcheck_trojans file > configured. > > 2012/07/31 16:00:13 ossec-rootcheck: INFO: Ending rootcheck scan. > > > > The the redhat installed version from AtomiCorp repository I even can not > > restart the agent from server. and same no config is pushed to client. > Then > > I downloaded tar ball and extarct, run install.sh build etc.. - this is > a > > bit better that I can restart agent from the server. Again, config is not > > pushed to agent. > > > > Please help > > > > > > > > How long did you wait? It can sometimes take a while. Also, check the > permissions. Try creating the file (or copying it over) and making > sure the permissions are correct so it can be overwritten. > -- Steve Kieu
