On Tue, Nov 26, 2013 at 9:57 AM, C. L. Martinez <[email protected]> wrote: > On Tue, Nov 26, 2013 at 2:50 PM, dan (ddp) <[email protected]> wrote: >> On Tue, Nov 26, 2013 at 9:39 AM, C. L. Martinez <[email protected]> wrote: >>> On Tue, Nov 26, 2013 at 2:32 PM, dan (ddp) <[email protected]> wrote: >>>> On Tue, Nov 26, 2013 at 9:26 AM, C. L. Martinez <[email protected]> >>>> wrote: >>>>> This: >>>>> [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf >>>>> 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf >>>>> >>>> >>>> So the agent.conf isn't being updated on the agent. >>>> Check permissions of the files in etc/shared. Restart the agent if >>>> necessary. >>>> >>> >>> Incorrect, agent.conf is updated in the agents. For example in this agent: >>> >> >> The example you posted earlier had a different md5. >> Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. >> Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd > > Correct.. It is the correct md5sum before I have modified agent.conf > to test the active response ... > >> >> >>> [root@ossec02 alerts]# agent_control -i 002 >>> >>> OSSEC HIDS agent_control. Agent information: >>> Agent ID: 002 >>> Agent Name: agent02.adsi.intranet.local >>> IP address: 10.196.0.104 >>> Status: Active >>> >>> Operating system: FreeBSD agent02.adsi.intranet.local 8.4-RELEASE-p.. >>> Client version: OSSEC HIDS v2.7.1 / 55188a008ab5daf74988aaf585e56f64 >>> Last keep alive: Tue Nov 26 14:35:11 2013 >>> >>> Syscheck last started at: Tue Nov 26 04:01:49 2013 >>> Rootcheck last started at: Tue Nov 26 04:00:42 2013 >>> >>> but the server has not given the order to restart. >>> >> >> I'm not going to mention this again: Verify that the alert was triggered. >> > > Ok, forcing a syscheck in this agent: > > [root@nsm02 shared]# agent_control -r -u 002 > > OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 002 > > Actual md5sum in ossec server: > > [root@plzfnsm02 shared]# md5sum agent.conf > 22265c7a2bc1bb714d9376189b4b9ddd agent.conf > > (I've restored previous configuration to do this test) > > Actual md5sum in the agent: > > root@agent02:/var/ossec/etc/shared # md5 agent.conf > MD5 (agent.conf) = 55188a008ab5daf74988aaf585e56f64 > > Until here, all it is ok because agent.conf is not updated in the agent side > ... > > I will check later when the agent.conf is modified in the agent ... > > Correct?? >
Correct. Make sure the alert is triggered. If the alert doesn't trigger, it makes sense that the AR isn't firing. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
