V & D, I would bet that the problem is with *not restarting the server after adding the agent.* I was chasing this myself and the thing is tricky because every server conf/rule 'fix' that you apply (and restart the server) actually does fix the issue for the agent you were inspecting. Only new agents (that will be added with no server restart) will start experiencing these issues again...
-Roy On Friday, August 23, 2013 6:54:15 AM UTC-7, dan (ddpbsd) wrote: > > On Fri, Aug 23, 2013 at 9:51 AM, vtrack <[email protected] <javascript:>> > wrote: > > > > > >> Did you restart the OSSEC processes on the server after making these > >> changes? You made the changes on the server, right? Did a full > >> syscheck scan on the agent complete? Were the files added to the > >> syscheck db (on the server in > >> /var/ossec/queue/syscheck/SOMETHING_RELATED_TO_THE_AGENT)? > >> > > > > Yes, have restarted OSSEC control service (/var/ossec/bin/ossec-control) > > after the changes on the OSSEC server conf file... And verified the > syscheck > > db, and shows the new file entry in the file. > > > > Perhaps your overwrite of 554 didn't take. I can't think of another > reason it wouldn't alert then. > > >> > >> > <rules> > >> > <include>local_rules.xml</include> > >> > </rules> > >> > > >> > >> You added the above to the agent's ossec.conf? Why? Are all of the > >> necessary processes still running after restart? > >> > > New files alerts were only reported when the rule was added to agent's > > ossec.conf file. If i remove the rule tag from agent's ossec conf, > alerts > > will not be reported.. I am not sure why is that case. If I am right, > the > > rules only require to be at the server side.. The services on both > server > > and agent appears to running fine... > > > > If that configuration does anything to your "agent" installation, it's > probably not an agent installation. There is absolutely no benefit of > defining rules on agents. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
