Dan, thank you for the reply. I'll change the permission as described above and test it. I'll reply once I have some feedback.
Regards, On Wednesday, 5 June 2013 15:03:22 UTC+1, dan (ddpbsd) wrote: > > On Wed, Jun 5, 2013 at 6:46 AM, Iacob Alexandru > <[email protected]<javascript:>> > wrote: > > Hi, > > I have just started with OSSEC. > > I have decided to install it on multiple servers (all Linux instances). > > Basically I have a SERVER and, so far, 9 agents. > > > > All was OK with the installation, adding new agents, etc.. > > But, I have some errors on agents/server. > > > > It seams that the agents are not picking up the latest ar file from > server. > > > > I should mention that, on agents, I only configured > > /var/ossec/etc/ossec.conf and add the server IP. > > > > <client> > > <server-ip>10.123.45.67</server-ip> > > </client> > > > > Below are the erros and the listings from both agent and server. > > > > ossec-execd(1103): ERROR: Unable to open file > > '/var/ossec/etc/shared/ar.conf'. > > > > AGENT: > > root@node:/home/andy# ll /var/ossec/etc/shared/ > > total 172 > > drwxrwx--- 2 root ossec 4096 May 31 11:33 ./ > > dr-xr-x--- 3 root ossec 4096 Jun 5 10:16 ../ > > -rwxrwx--- 1 root ossec 9501 May 31 11:33 cis_debian_linux_rcl.txt* > > -rwxrwx--- 1 root ossec 8192 May 31 11:33 cis_rhel5_linux_rcl.txt* > > -rwxrwx--- 1 root ossec 14251 May 31 11:33 cis_rhel_linux_rcl.txt* > > -rw-r--r-- 1 ossec ossec 70186 May 31 11:33 merged.mg > > -rwxrwx--- 1 root ossec 14872 May 31 11:33 rootkit_files.txt* > > -rwxrwx--- 1 root ossec 5193 May 31 11:33 rootkit_trojans.txt* > > -rwxrwx--- 1 root ossec 4457 May 31 11:33 system_audit_rcl.txt* > > -rwxrwx--- 1 root ossec 4682 May 31 11:33 win_applications_rcl.txt* > > -rwxrwx--- 1 root ossec 3859 May 31 11:33 win_audit_rcl.txt* > > -rwxrwx--- 1 root ossec 4929 May 31 11:33 win_malware_rcl.txt* > > > > AGENT > > root@node:/var/ossec/logs# tail -100 ossec.log > > 2013/06/03 13:51:39 ossec-execd(1311): ERROR: Invalid command name > > 'host-deny600' provided. > > 2013/06/03 13:51:39 ossec-execd(1103): ERROR: Unable to open file > > '/var/ossec/etc/shared/ar.conf'. > > 2013/06/03 13:51:39 ossec-execd(1311): ERROR: Invalid command name > > 'firewall-drop600' provided. > > > > ### > > SERVER > > root@hera:/home/andy# cd /var/ossec/etc/shared/ > > root@hera:/var/ossec/etc/shared# ll > > total 176 > > drwxrwx--- 2 root ossec 4096 May 30 13:15 ./ > > dr-xr-x--- 3 root ossec 4096 Jun 3 14:31 ../ > > -r--r----- 1 root root 153 Jun 3 17:57 ar.conf > > -r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt > > -r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt > > -r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt > > -rw-r--r-- 1 ossecr ossec 70186 Jun 5 10:06 merged.mg > > -r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt > > -r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt > > -r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt > > -r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt > > -r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt > > -r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt > > > > SERVER > > /var/ossec/logs/ossec.log > > 2013/06/04 16:17:24 ossec-syscheckd: INFO: Ending syscheck scan. > > 2013/06/04 19:04:54 ossec-remoted: Error accessing file > > '/etc/shared/ar.conf' > > 2013/06/05 00:05:02 ossec-remoted: Error accessing file > > '/etc/shared/ar.conf' > > 2013/06/05 05:05:03 ossec-remoted: Error accessing file > > '/etc/shared/ar.conf' > > 2013/06/05 10:06:29 ossec-remoted: Error accessing file > > '/etc/shared/ar.conf' > > > > Please let men know what should I do in order to have the agents > properly > > configured. > > > > > ar.conf on the server should be group ossec. > > I think merged.mg on the agent should be owned by root. > > > Regards, > > Andy > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
