On Aug 27, 2013 9:43 AM, "vtrack" <[email protected]> wrote: > > Excellent. I got this resolved after restarting the ossec server. Thanks very much Roy. > > If it is a common problem, it is good to have this included in one of the OSSEC FAQ. > >
Manage_agents tells you to restart ossec after adding an agent, and ossec would need to be restarted after modifying the rules/configs. What exactly shoild go in the FAQ? > On Tuesday, August 27, 2013 10:55:19 AM UTC+5:30, Roy Feintuch wrote: >> >> V & D, >> I would bet that the problem is with not restarting the server after adding the agent. >> I was chasing this myself and the thing is tricky because every server conf/rule 'fix' that you apply (and restart the server) actually does fix the issue for the agent you were inspecting. >> Only new agents (that will be added with no server restart) will start experiencing these issues again... >> >> -Roy >> >> >> On Friday, August 23, 2013 6:54:15 AM UTC-7, dan (ddpbsd) wrote: >>> >>> On Fri, Aug 23, 2013 at 9:51 AM, vtrack <[email protected]> wrote: >>> > >>> > >>> >> Did you restart the OSSEC processes on the server after making these >>> >> changes? You made the changes on the server, right? Did a full >>> >> syscheck scan on the agent complete? Were the files added to the >>> >> syscheck db (on the server in >>> >> /var/ossec/queue/syscheck/SOMETHING_RELATED_TO_THE_AGENT)? >>> >> >>> > >>> > Yes, have restarted OSSEC control service (/var/ossec/bin/ossec-control) >>> > after the changes on the OSSEC server conf file... And verified the syscheck >>> > db, and shows the new file entry in the file. >>> > >>> >>> Perhaps your overwrite of 554 didn't take. I can't think of another >>> reason it wouldn't alert then. >>> >>> >> >>> >> > <rules> >>> >> > <include>local_rules.xml</include> >>> >> > </rules> >>> >> > >>> >> >>> >> You added the above to the agent's ossec.conf? Why? Are all of the >>> >> necessary processes still running after restart? >>> >> >>> > New files alerts were only reported when the rule was added to agent's >>> > ossec.conf file. If i remove the rule tag from agent's ossec conf, alerts >>> > will not be reported.. I am not sure why is that case. If I am right, the >>> > rules only require to be at the server side.. The services on both server >>> > and agent appears to running fine... >>> > >>> >>> If that configuration does anything to your "agent" installation, it's >>> probably not an agent installation. There is absolutely no benefit of >>> defining rules on agents. >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
