On Wed, Aug 1, 2012 at 9:09 AM, dan (ddp) <[email protected]> wrote: > On Tue, Jul 31, 2012 at 7:16 PM, Steve Kieu <[email protected]> wrote: >>> >>> It could take a while for it to be pushed. I think if you run the >>> processes in debug mode the transfer will be logged. Running in debug >>> mode might be a good idea to see if it logs information on why the >>> agent.conf isn't being pushed. >>> >> >> I suppose that I change in the server and client as well file >> etc/internal_options.conf and set all debug options to 1 (from 0) - I did >> this and restart both of them. No strange message spotted >> > > But did you run the processes in debug mode (-d)? > >> I guess the process deadling with this is ossec-remoted so it does not log >> anything usefull. Check all other is the same >> >> 2012/08/01 03:04:22 ossec-remoted: INFO: Assigning sender counter: 0:502 >> 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23100). >> 2012/08/01 03:06:46 ossec-remoted: Remote syslog allowed from: '10.0.0.0/8' >> 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23101). >> 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23102). >> 2012/08/01 03:06:47 ossec-remoted: INFO: Assigning counter for agent >> build-centos5-i386: '0:1208'. >> 2012/08/01 03:06:47 ossec-remoted: INFO: Assigning sender counter: 0:504 >> >> and after restarting client it still says: >> >> 2012/08/01 09:08:35 ossec-rootcheck: No rootcheck_files file configured. >> 2012/08/01 09:08:35 ossec-rootcheck: No rootcheck_trojans file configured. >> >> I do think this is a bug - but strange that it does not happen to anyone >> else (maybe no one run the same as my test set up ) ? Can anyone to confirm, >> a fresh installation of ossec, and mots importantly the client side, >> etc/share/agent.conf is removed and etc/ossec.conf only contain the server >> IP information - >> > > I think it's an admin issue, no evidence of a bug has been provided. > > I'm testing it out now though.
So I blanked the agent.conf and merged.mg file on an agent, restarted the ossec processes on the server, then restarted the processes on the agent and ended up with: # ls -l total 340 -rw-r--r-- 1 ossec ossec 10908 Aug 1 09:18 agent.conf -rw-r--r-- 1 ossec ossec 167 Aug 1 09:18 ar.conf -rwxrwx--- 1 root ossec 9433 Aug 1 09:18 cis_debian_linux_rcl.txt -rwxrwx--- 1 root ossec 8125 Aug 1 09:18 cis_rhel5_linux_rcl.txt -rwxrwx--- 1 root ossec 14185 Aug 1 09:18 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossec ossec 80711 Aug 1 09:18 merged.mg -rwxrwx--- 1 root ossec 14811 Aug 1 09:18 rootkit_files.txt -rwxrwx--- 1 root ossec 5130 Aug 1 09:18 rootkit_trojans.txt -rwxrwx--- 1 root ossec 4393 Aug 1 09:18 system_audit_rcl.txt -rwxrwx--- 1 root ossec 4614 Aug 1 09:18 win_applications_rcl.txt -rwxrwx--- 1 root ossec 3798 Aug 1 09:18 win_audit_rcl.txt -rwxrwx--- 1 root ossec 4866 Aug 1 09:18 win_malware_rcl.txt Try blanking the merged.mg.
