Hi,
I have just started with OSSEC.
I have decided to install it on multiple servers (all Linux instances).
Basically I have a SERVER and, so far, 9 agents.
All was OK with the installation, adding new agents, etc..
But, I have some errors on agents/server.
It seams that the agents are not picking up the latest ar file from server.
*I should mention that, on agents, I only configured
/var/ossec/etc/ossec.conf and add the server IP.*
<client>
<server-ip>10.123.45.67</server-ip>
</client>
Below are the erros and the listings from both agent and server.
ossec-execd(1103): ERROR: Unable to open file
'/var/ossec/etc/shared/ar.conf'.
AGENT:
root@node:/home/andy# ll /var/ossec/etc/shared/
total 172
drwxrwx--- 2 root ossec 4096 May 31 11:33 ./
dr-xr-x--- 3 root ossec 4096 Jun 5 10:16 ../
-rwxrwx--- 1 root ossec 9501 May 31 11:33 cis_debian_linux_rcl.txt*
-rwxrwx--- 1 root ossec 8192 May 31 11:33 cis_rhel5_linux_rcl.txt*
-rwxrwx--- 1 root ossec 14251 May 31 11:33 cis_rhel_linux_rcl.txt*
-rw-r--r-- 1 ossec ossec 70186 May 31 11:33 merged.mg
-rwxrwx--- 1 root ossec 14872 May 31 11:33 rootkit_files.txt*
-rwxrwx--- 1 root ossec 5193 May 31 11:33 rootkit_trojans.txt*
-rwxrwx--- 1 root ossec 4457 May 31 11:33 system_audit_rcl.txt*
-rwxrwx--- 1 root ossec 4682 May 31 11:33 win_applications_rcl.txt*
-rwxrwx--- 1 root ossec 3859 May 31 11:33 win_audit_rcl.txt*
-rwxrwx--- 1 root ossec 4929 May 31 11:33 win_malware_rcl.txt*
AGENT
root@node:/var/ossec/logs# tail -100 ossec.log
2013/06/03 13:51:39 ossec-execd(1311): ERROR: Invalid command name
'host-deny600' provided.
2013/06/03 13:51:39 ossec-execd(1103): ERROR: Unable to open file
'/var/ossec/etc/shared/ar.conf'.
2013/06/03 13:51:39 ossec-execd(1311): ERROR: Invalid command name
'firewall-drop600' provided.
###
SERVER
root@hera:/home/andy# cd /var/ossec/etc/shared/
root@hera:/var/ossec/etc/shared# ll
total 176
drwxrwx--- 2 root ossec 4096 May 30 13:15 ./
dr-xr-x--- 3 root ossec 4096 Jun 3 14:31 ../
-r--r----- 1 root root 153 Jun 3 17:57 ar.conf
-r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt
-r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt
-r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt
-rw-r--r-- 1 ossecr ossec 70186 Jun 5 10:06 merged.mg
-r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt
-r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt
-r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt
-r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt
-r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt
-r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt
SERVER
/var/ossec/logs/ossec.log
2013/06/04 16:17:24 ossec-syscheckd: INFO: Ending syscheck scan.
2013/06/04 19:04:54 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'
2013/06/05 00:05:02 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'
2013/06/05 05:05:03 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'
2013/06/05 10:06:29 ossec-remoted: Error accessing file
'/etc/shared/ar.conf'
Please let men know what should I do in order to have the agents properly
configured.
Regards,
Andy
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
