Excellent. I got this resolved after restarting the ossec server. Thanks very much Roy.
If it is a common problem, it is good to have this included in one of the OSSEC FAQ. On Tuesday, August 27, 2013 10:55:19 AM UTC+5:30, Roy Feintuch wrote: > > V & D, > I would bet that the problem is with *not restarting the server after > adding the agent.* > I was chasing this myself and the thing is tricky because every server > conf/rule 'fix' that you apply (and restart the server) actually does fix > the issue for the agent you were inspecting. > Only new agents (that will be added with no server restart) will start > experiencing these issues again... > > -Roy > > > On Friday, August 23, 2013 6:54:15 AM UTC-7, dan (ddpbsd) wrote: >> >> On Fri, Aug 23, 2013 at 9:51 AM, vtrack <[email protected]> wrote: >> > >> > >> >> Did you restart the OSSEC processes on the server after making these >> >> changes? You made the changes on the server, right? Did a full >> >> syscheck scan on the agent complete? Were the files added to the >> >> syscheck db (on the server in >> >> /var/ossec/queue/syscheck/SOMETHING_RELATED_TO_THE_AGENT)? >> >> >> > >> > Yes, have restarted OSSEC control service >> (/var/ossec/bin/ossec-control) >> > after the changes on the OSSEC server conf file... And verified the >> syscheck >> > db, and shows the new file entry in the file. >> > >> >> Perhaps your overwrite of 554 didn't take. I can't think of another >> reason it wouldn't alert then. >> >> >> >> >> > <rules> >> >> > <include>local_rules.xml</include> >> >> > </rules> >> >> > >> >> >> >> You added the above to the agent's ossec.conf? Why? Are all of the >> >> necessary processes still running after restart? >> >> >> > New files alerts were only reported when the rule was added to agent's >> > ossec.conf file. If i remove the rule tag from agent's ossec conf, >> alerts >> > will not be reported.. I am not sure why is that case. If I am right, >> the >> > rules only require to be at the server side.. The services on both >> server >> > and agent appears to running fine... >> > >> >> If that configuration does anything to your "agent" installation, it's >> probably not an agent installation. There is absolutely no benefit of >> defining rules on agents. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
