On Tue, Jul 31, 2012 at 7:31 AM, Steve Kieu <[email protected]> wrote: > I did it and restart the server first and the client later. Should it be > picked up right away ? >
It could take a while for it to be pushed. I think if you run the processes in debug mode the transfer will be logged. Running in debug mode might be a good idea to see if it logs information on why the agent.conf isn't being pushed. > I already checked permission. Not sure which process read the > etc/shared/agent.conf though as some process is run by root, other run by > ossec user (not remembered exactly the name as I am currently off work, so > no access to server). The permissions is user,group readable. Not really > sure what exactly the mode it should be and ownership of it though. Should I > chmod 666 it ? > > -rw-r--r-- 1 ossec ossec 10908 Jul 12 17:35 agent.conf > > On Tue, Jul 31, 2012 at 9:21 PM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Jul 31, 2012 at 2:11 AM, peace <[email protected]> wrote: >> > Hello list, >> > >> > I have tried many things until I just give up and ask for help. >> > Basically >> > the centralized agent config not working. >> > >> > At agent I remove the etc/shared/agent.conf >> > >> > and etc/ossec.conf contains only >> > >> > <ossec_config> >> > <client> >> > <server-ip>10.200.11.140</server-ip> >> > </client> >> > >> > </ossec_config> >> > >> > And in the server configured the shared/agent.conf like this >> > >> > <agent_config name="AGENT_NAME"> >> > <syscheck> >> > <!-- Frequency that syscheck is executed -- default every 2 hours >> > --> >> > <frequency>7200</frequency> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >> > <directories check_all="yes">/bin,/sbin</directories> >> > >> > <!-- Files/directories to ignore --> >> > <ignore>/etc/mtab</ignore> >> > <ignore>/etc/hosts.deny</ignore> >> > <ignore>/etc/mail/statistics</ignore> >> > <ignore>/etc/random-seed</ignore> >> > <ignore>/etc/adjtime</ignore> >> > <ignore>/etc/httpd/logs</ignore> >> > </syscheck> >> > >> > <rootcheck> >> > >> > <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> >> > >> > >> > <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> >> > </rootcheck> >> > >> > <localfile> >> > <log_format>syslog</log_format> >> > <location>/var/log/messages</location> >> > </localfile> >> > >> > </agent_config> >> > >> > Restart server, restart agent and see the config is not pushed to agent >> > at >> > all >> > >> > 2012/07/31 15:57:42 ossec-agentd: INFO: Started (pid: 28779). >> > 2012/07/31 15:57:42 ossec-agentd: INFO: Server IP Address: 10.200.11.140 >> > 2012/07/31 15:57:42 ossec-agentd: INFO: Trying to connect to server >> > (10.200.11.140:1514). >> > 2012/07/31 15:57:42 ossec-agentd: INFO: Using IPv4 for: 10.200.11.140 . >> > 2012/07/31 15:57:42 ossec-logcollector(1905): INFO: No file configured >> > to >> > monitor. >> > 2012/07/31 15:57:42 ossec-syscheckd(1702): INFO: No directory provided >> > for >> > syscheck to monitor. >> > 2012/07/31 15:57:42 ossec-syscheckd: WARN: Syscheck disabled. >> > 2012/07/31 15:57:42 ossec-rootcheck: System audit file not configured. >> > 2012/07/31 15:57:43 ossec-agentd(4102): INFO: Connected to the server >> > (10.200.11.140:1514). >> > 2012/07/31 15:57:46 ossec-syscheckd: INFO: Started (pid: 28787). >> > 2012/07/31 15:57:46 ossec-rootcheck: INFO: Started (pid: 28787). >> > 2012/07/31 15:57:48 ossec-logcollector: INFO: Started (pid: 28783). >> > 2012/07/31 15:59:20 ossec-rootcheck: INFO: Starting rootcheck scan. >> > 2012/07/31 15:59:20 ossec-rootcheck: No rootcheck_files file configured. >> > 2012/07/31 15:59:20 ossec-rootcheck: No rootcheck_trojans file >> > configured. >> > 2012/07/31 16:00:13 ossec-rootcheck: INFO: Ending rootcheck scan. >> > >> > The the redhat installed version from AtomiCorp repository I even can >> > not >> > restart the agent from server. and same no config is pushed to client. >> > Then >> > I downloaded tar ball and extarct, run install.sh build etc.. - this is >> > a >> > bit better that I can restart agent from the server. Again, config is >> > not >> > pushed to agent. >> > >> > Please help >> > >> > >> > >> >> How long did you wait? It can sometimes take a while. Also, check the >> permissions. Try creating the file (or copying it over) and making >> sure the permissions are correct so it can be overwritten. > > > > > -- > Steve Kieu
