Okay, so getting lots of errors in ossec.log:
2013/08/14 19:37:36 ossec-logcollector(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..
2013/08/14 19:41:56 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue'
not accessible: 'Connection refused'.
2013/08/14 19:41:58 ossec-logcollector(1224): ERROR: Error sending message
to queue.
2013/08/14 19:41:59 ossec-remoted(1210): ERROR: Queue '/queue/ossec/queue'
not accessible: 'Connection refused'.
2013/08/14 19:41:59 ossec-remoted(1211): ERROR: Unable to access queue:
'/queue/ossec/queue'. Giving up..
2013/08/14 19:42:01 ossec-logcollector(1210): ERROR: Queue
'/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'.
2013/08/14 19:42:01 ossec-logcollector(1211): ERROR: Unable to access
queue: '/var/ossec/queue/ossec/queue'. Giving up..
2013/08/14 19:46:06 ossec-monitord(1224): ERROR: Error sending message to
queue.
With the attached agent.conf applied. When I remove the agent.conf file and
restart the ossec server, all the agents reconnect and all is well. I am
guessing... that I have an error in the logic on this file. I have
confirmed that on each agent server, the correct files are being parsed per
each <config-profile></config-profile> statement in the local ossec.conf.
Here is an example:
<config-profile>D2C-NAT</config-profile>
Would really like to understand what I am missing. Again, I really
appreciate all of the help on this an other posts!!!
On Wednesday, July 17, 2013 10:44:26 AM UTC-4, dan (ddpbsd) wrote:
>
>
> On Jul 17, 2013 10:06 AM, "Jared" <[email protected] <javascript:>>
> wrote:
> >
> > Sorry to open an old thread, but I have a related question.
> >
> > Is there any way to tell a host that it is a web or db server through
> the push of the agent.conf? Or is it a requirement to update the ossec.conf
> on every server to tell it what group it is a member of?
> >
>
> No idea, I'll have to try it and find out.
>
> > Thank you,
> >
> > Jared
> >
> > On Monday, June 24, 2013 2:25:53 PM UTC-4, dan (ddpbsd) wrote:
> >>
> >> On Mon, Jun 24, 2013 at 1:15 PM, Jared <[email protected]> wrote:
> >> > Question:
> >> >
> >> > How are "Profiles" associated with clients / agents?
> >> >
> >> > Scenario:
> >> >
> >> > Agent ID = 001 = Web01 = IIS and MySQL = Windows
> >> >
> >> > Agent ID = 002 = Web02 = Apache/Tomcat and MySQL = CentOs
> >> >
> >> > I would like to have a profile for each server type so that I no
> longer see
> >> > the following errors:
> >> >
> >> > 2013/06/24 10:08:52 ossec-agent(1952): INFO: Monitoring variable log
> file:
> >> > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'.
> >> > 2013/06/24 10:08:52 ossec-agent(1103): ERROR: Unable to open file
> >> > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'.
> >> >
> >> >
> >> > For Windows servers that do not have Tomcat for example?
> >> >
> >> > Based on the following from the web documentation from
> >> >
> http://www.ossec.net/doc/syntax/head_agent_config.html?highlight=profile#profile:
>
>
> >> >
> >> > profile
> >> > This option to agent_config allows you to assign a profile name to
> the the
> >> > block. Any agent may use this block if it is configured to use the
> defined
> >> > profile.
> >> >
> >> > Example: <agent_config profile=”webservers”>
> >> >
> >> >
> >> > How do I tell Agent 002 that it should be associated with "LinuxWebs"
> >> >
> >> > <agent_config profile=”LinuxWebs”>
> >> >
> >> >
> >> >
> >> > How do I tell Agent 002 that it should be subordinate to "WinWebs"
> >> >
> >> > <agent_config profile=”LinuxWebs”>
> >> >
> >> >
> >> >
> >> > In the following config:
> >> >
> >> > <agent_config profile=”LinuxWebs”>
> >> > <localfile>
> >> > <location>/var/log/secure</location>
> >> > <log_format>syslog</log_format>
> >> > </localfile>
> >> >
> >> >
> >> > </agent_config>
> >> >
> >> > Thanks for all of the posts and info? Very helpful list!!
> >> >
> >> > Jared
> >> >
> >>
> >> In the agent's ossec.conf add a <config-profile> entry to the <client>
> >> section. Example:
> >>
> >> <ossec_config>
> >> <client>
> >> <server-ip>192.168.17.9</server-ip>
> >> <config-profile>openbsd-firewall,openbsd-test</config-profile>
> >> </client>
> >> </ossec_config>
> >>
> >> The above agent is a member of the openbsd-firewall and openbsd-test
> >> profiles in agent.conf.
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
<agent_config profile="D2C-DAS">
<localfile>
<location>/usr/tomcat/server/logs/das/ddcloud.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/das/clouddb.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/catalina.out</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/localhost_access_log.%Y-%m-%d.txt</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/audit/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="D2C-WAP">
<localfile>
<location>/opt/progress/PF/portal/apache-tomcat-7.0.28/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/progress/PF/portal/apache-tomcat-7.0.28/logs/catalina.out</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/progress/PF/portal/apache-tomcat-7.0.28/logs/localhost_access_log.%Y-%m-%d.txt</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/progress/PF/portal/apache-tomcat-7.0.28/logs/localhost.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/progress/PF/portal/logs/liferay.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/d2ctools/java/c2s-jmap-heap-tomcat</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/audit/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="D2C-NAT">
<localfile>
<location>/usr/d2ctools/java/c2s-jmap-heap-tomcat</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/audit/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="D2C-MNA">
<localfile>
<location>/usr/d2ctools/java/c2s-jmap-heap-tomcat</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/catalina.out</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/localhost_access_log.%Y-%m-%d.txt</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/mna/Metering_INFO.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/usr/tomcat/server/logs/mna/Notification_INFO.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/audit/audit.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="Pacific-OPS">
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="RLB-Apache">
<localfile>
<location>/var/log/httpd/access_log</location>
<log_format>apache</log_format>
</localfile>
<localfile>
<location>/var/log/httpd/error_log</location>
<log_format>apache</log_format>
</localfile>
<localfile>
<location>/var/log/httpd/jk-runtime-status.14042</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/httpd/mod_jk.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/httpd/range-CVE-2011-3192.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/log/httpd/ssl_request_log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="RLB-Master">
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="RLB-Storage">
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.out</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/host-manager.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/localhost.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/localhost_access_log.%Y-%m-%d.txt</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/manager.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/data/Files/1/log/API.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/data/Files/1/log/components.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/data/Files/1/log/download.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/data/Files/1/log/event.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/data/Files/1/log/main.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/data/Files/1/log/portal.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="RLB-API">
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.out</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/host-manager.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/localhost.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/localhost_access_log.%Y-%m-%d.txt</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/manager.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="RLB-Prod">
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.out</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/host-manager.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/localhost.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/localhost_access_log.%Y-%m-%d.txt</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/manager.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config profile="RLB-Search">
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/catalina.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/host-manager.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/localhost.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/manager.%Y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/opt/rollbase/apache-tomcat/logs/localhost_access_log.%Y-%m-%d.txt</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>/var/symantec/Logs/%m%d%Y.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
