On Tue, Nov 26, 2013 at 2:50 PM, dan (ddp) <[email protected]> wrote: > On Tue, Nov 26, 2013 at 9:39 AM, C. L. Martinez <[email protected]> wrote: >> On Tue, Nov 26, 2013 at 2:32 PM, dan (ddp) <[email protected]> wrote: >>> On Tue, Nov 26, 2013 at 9:26 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> This: >>>> [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf >>>> 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf >>>> >>> >>> So the agent.conf isn't being updated on the agent. >>> Check permissions of the files in etc/shared. Restart the agent if >>> necessary. >>> >> >> Incorrect, agent.conf is updated in the agents. For example in this agent: >> > > The example you posted earlier had a different md5. > Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. > Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd
Correct.. It is the correct md5sum before I have modified agent.conf to test the active response ... > > >> [root@ossec02 alerts]# agent_control -i 002 >> >> OSSEC HIDS agent_control. Agent information: >> Agent ID: 002 >> Agent Name: agent02.adsi.intranet.local >> IP address: 10.196.0.104 >> Status: Active >> >> Operating system: FreeBSD agent02.adsi.intranet.local 8.4-RELEASE-p.. >> Client version: OSSEC HIDS v2.7.1 / 55188a008ab5daf74988aaf585e56f64 >> Last keep alive: Tue Nov 26 14:35:11 2013 >> >> Syscheck last started at: Tue Nov 26 04:01:49 2013 >> Rootcheck last started at: Tue Nov 26 04:00:42 2013 >> >> but the server has not given the order to restart. >> > > I'm not going to mention this again: Verify that the alert was triggered. > Ok, forcing a syscheck in this agent: [root@nsm02 shared]# agent_control -r -u 002 OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 002 Actual md5sum in ossec server: [root@plzfnsm02 shared]# md5sum agent.conf 22265c7a2bc1bb714d9376189b4b9ddd agent.conf (I've restored previous configuration to do this test) Actual md5sum in the agent: root@agent02:/var/ossec/etc/shared # md5 agent.conf MD5 (agent.conf) = 55188a008ab5daf74988aaf585e56f64 Until here, all it is ok because agent.conf is not updated in the agent side ... I will check later when the agent.conf is modified in the agent ... Correct?? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
