Thanks a lot. I found a bug. "shared" dir had 755 permissions and ossec owner. I changed permissions to 775 and merged.mg with "ossecr" owner and "ossec" group created.
пятница, 12 октября 2012 г., 18:22:58 UTC+4 пользователь dan (ddpbsd) написал: > > On Fri, Oct 12, 2012 at 10:14 AM, kay kay <[email protected] <javascript:>> > wrote: > > I can't find any 'merged' logs in /var/ossec/logs/ossec.log > > Is there any option for ossec-server I should change? > > > > I only turned on debugging on the server: > /var/ossec/bin/ossec-control enable debug && > /var/ossec/bin/ossec-control restart > > > Also the last modification date of merged.mg is: > > -bash-3.2# ls -la /var/ossec/etc/shared/merged.mg > > -rw-r--r-- 1 ossec ossec 74572 Jun 25 16:00 /var/ossec/etc/shared/ > merged.mg > > > > The last modification date of agent.conf is: > > -bash-3.2# ls -la /var/ossec/etc/shared/agent.conf > > -rw-r--r-- 1 ossec ossec 146 Oct 12 17:06 > /var/ossec/etc/shared/agent.conf > > > > Try deleting the contents of those files before restarting the > processes (first on the server, then the agent): > > cat /dev/null > /var/ossec/etc/shared/merged.mg ; cat /dev/null > > /var/ossec/etc/shared/agent.conf > > > > пятница, 12 октября 2012 г., 18:07:22 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Fri, Oct 12, 2012 at 10:02 AM, kay kay <[email protected]> wrote: > >> > I have just enabled detailed debug log (level 2) but can't find any > logs > >> > for > >> > "shared" or "agent.conf" > >> > Could you please explain what should look for ? > >> > > >> > >> On the server I changed my agent.conf, restarted the server processes. > >> Then restarted the agent's ossec processes and saw the following in > >> the server's ossec.log: > >> > >> 2012/10/12 10:05:13 ossec-remoted: DEBUG Sending file 'merged.mg' to > >> agent. > >> > >> The merged.mg file is a few config files merged together. They get > >> split on the agent side. After seeing this message I waited a minute, > >> and checked the md5 of the agent.conf. It matched the new agent.conf > >> on the server. > >> > >> > пятница, 12 октября 2012 г., 17:49:05 UTC+4 пользователь dan (ddpbsd) > >> > написал: > >> >> > >> >> On Fri, Oct 12, 2012 at 9:24 AM, kay kay <[email protected]> wrote: > >> >> >> I thought nginx had its own format? > >> >> > > >> >> > It works great on ossec-server. > >> >> > > >> >> >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf > are > >> >> >> valid. I am not familiar with ossec-agent.conf. > >> >> > > >> >> > /var/ossec/etc/ossec.conf is a symlink to > >> >> > /var/ossec/etc/ossec-agent.conf on > >> >> > ossec agents. > >> >> > > >> >> > >> >> Not on any ossec agent I have, but it doesn't really matter. > >> >> > >> >> >> How long did you wait? It can take a while for the transfer to > >> >> >> complete. > >> >> > > >> >> > About 4 hours already. > >> >> > > >> >> > I even can't find any logs related to agent.conf pushing. > >> >> > > >> >> > >> >> Restarting the ossec processes in debug mode might produce some logs > >> >> about > >> >> it. > >> >> > >> >> I'd try touching agent.conf and making sure the permissions are > >> >> correct. This works for me: > >> >> > >> >> [ddp@junction] :; ls -l /var/ossec/etc/shared/agent.conf > >> >> -rw-r--r-- 1 ossec ossec 10908 Aug 16 11:52 > >> >> /var/ossec/etc/shared/agent.conf > >> >> > >> >> > >> >> > пятница, 12 октября 2012 г., 17:18:36 UTC+4 пользователь dan > (ddpbsd) > >> >> > написал: > >> >> >> > >> >> >> On Fri, Oct 12, 2012 at 9:15 AM, kay kay <[email protected]> > wrote: > >> >> >> > Dear Dan > >> >> >> > > >> >> >> >> What did you set in the agent.conf file? > >> >> >> > > >> >> >> > here is my /var/ossec/etc/shared/agent.conf: > >> >> >> > > >> >> >> > <agent_config> > >> >> >> > <localfile> > >> >> >> > <log_format>apache</log_format> > >> >> >> > >> >> >> I thought nginx had its own format? > >> >> >> > >> >> >> > <location>/var/log/nginx/error_log</location> > >> >> >> > </localfile> > >> >> >> > </agent_config> > >> >> >> > > >> >> >> >> Did the agent.conf file get transferred from the server to the > >> >> >> >> agents? > >> >> >> > > >> >> >> > No, it didn't. I checked /var/ossec/etc/ossec-agent.conf, > >> >> >> > /var/ossec/etc/ossec.conf (symlink to ossec-agent.conf) and > >> >> >> > /var/ossec/etc/shared/ossec.conf > >> >> >> > > >> >> >> > >> >> >> /var/ossec/etc/ossec.conf and /var/ossec/etc/shared/agent.conf > are > >> >> >> valid. I am not familiar with ossec-agent.conf. > >> >> >> > >> >> >> >> Did you restart the agent processes after the new agent.conf > was > >> >> >> >> transferred? > >> >> >> > > >> >> >> > agent.conf was not transferred but I tried to reatsrt it > anyway. > >> >> >> > > >> >> >> > >> >> >> How long did you wait? It can take a while for the transfer to > >> >> >> complete. > >> >> >> > >> >> >> >> Why do you think it isn't working? > >> >> >> > > >> >> >> > Modification time of *.conf files on agents is not changed. And > >> >> >> > conf > >> >> >> > files > >> >> >> > actually doesn't contain: > >> >> >> > <location>/var/log/nginx/error_log</location> > >> >> >> > > >> >> >> > > >> >> >> > пятница, 12 октября 2012 г., 16:35:27 UTC+4 пользователь dan > >> >> >> > (ddpbsd) > >> >> >> > написал: > >> >> >> >> > >> >> >> >> On Fri, Oct 12, 2012 at 7:37 AM, kay kay <[email protected]> > >> >> >> >> wrote: > >> >> >> >> > I tried to follow the > >> >> >> >> > > http://www.ossec.net/doc/manual/agent/agent-configuration.html > >> >> >> >> > manual > >> >> >> >> > but > >> >> >> >> > agents doesn't get the configuration from shared directory > >> >> >> >> > (/var/ossec/etc/shared directory on server). > >> >> >> >> > > >> >> >> >> > >> >> >> >> Please use specifics. What did you set in the agent.conf file? > >> >> >> >> Did > >> >> >> >> the > >> >> >> >> agent.conf file get transferred from the server to the agents? > >> >> >> >> Did > >> >> >> >> you > >> >> >> >> restart the agent processes after the new agent.conf was > >> >> >> >> transferred? > >> >> >> >> Why do you think it isn't working? > >> >> >> >> > >> >> >> >> > пятница, 12 октября 2012 г., 10:46:38 UTC+4 пользователь kay > >> >> >> >> > kay > >> >> >> >> > написал: > >> >> >> >> >> > >> >> >> >> >> At the moment I use syslog-ng to collect logs from whole > >> >> >> >> >> servers > >> >> >> >> >> and > >> >> >> >> >> analyze them on ossec-server with decoders and rules. > >> >> >> >> >> > >> >> >> >> >> How can I configure ossec-server to avoid log collecting > with > >> >> >> >> >> syslog-ng? > >> >> >> >> >> > >> >> >> >> >> I.e. I have two servers (ossec-agents) with nginx. I need > to > >> >> >> >> >> analyze > >> >> >> >> >> nginx > >> >> >> >> >> logs. Should I configure decoder and rule on each > ossec-agents > >> >> >> >> >> or > >> >> >> >> >> I > >> >> >> >> >> can > >> >> >> >> >> create one decoder and one rule on ossec-server and it will > be > >> >> >> >> >> automatically > >> >> >> >> >> pushed to ossec-agents? > >> >> >> >> > >> >> >> > >
