We also had the same trouble getting the central config to work until we were told that active-response had to be enabled on the clients first. I don't think that is documented anywhere, but it is what got our central config to start working.
Patrick Swartz -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, August 01, 2012 8:10 AM To: [email protected] Subject: Re: [ossec-list] Can nto have centralized agent config working On Tue, Jul 31, 2012 at 7:16 PM, Steve Kieu <[email protected]> wrote: >> >> It could take a while for it to be pushed. I think if you run the >> processes in debug mode the transfer will be logged. Running in debug >> mode might be a good idea to see if it logs information on why the >> agent.conf isn't being pushed. >> > > I suppose that I change in the server and client as well file > etc/internal_options.conf and set all debug options to 1 (from 0) - I did > this and restart both of them. No strange message spotted > But did you run the processes in debug mode (-d)? > I guess the process deadling with this is ossec-remoted so it does not log > anything usefull. Check all other is the same > > 2012/08/01 03:04:22 ossec-remoted: INFO: Assigning sender counter: 0:502 > 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23100). > 2012/08/01 03:06:46 ossec-remoted: Remote syslog allowed from: '10.0.0.0/8' > 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23101). > 2012/08/01 03:06:46 ossec-remoted: INFO: Started (pid: 23102). > 2012/08/01 03:06:47 ossec-remoted: INFO: Assigning counter for agent > build-centos5-i386: '0:1208'. > 2012/08/01 03:06:47 ossec-remoted: INFO: Assigning sender counter: 0:504 > > and after restarting client it still says: > > 2012/08/01 09:08:35 ossec-rootcheck: No rootcheck_files file configured. > 2012/08/01 09:08:35 ossec-rootcheck: No rootcheck_trojans file configured. > > I do think this is a bug - but strange that it does not happen to anyone > else (maybe no one run the same as my test set up ) ? Can anyone to confirm, > a fresh installation of ossec, and mots importantly the client side, > etc/share/agent.conf is removed and etc/ossec.conf only contain the server > IP information - > I think it's an admin issue, no evidence of a bug has been provided. I'm testing it out now though. The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
