On Tue, Nov 26, 2013 at 2:59 PM, dan (ddp) <[email protected]> wrote: > On Tue, Nov 26, 2013 at 9:57 AM, C. L. Martinez <[email protected]> wrote: >> On Tue, Nov 26, 2013 at 2:50 PM, dan (ddp) <[email protected]> wrote: >>> On Tue, Nov 26, 2013 at 9:39 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> On Tue, Nov 26, 2013 at 2:32 PM, dan (ddp) <[email protected]> wrote: >>>>> On Tue, Nov 26, 2013 at 9:26 AM, C. L. Martinez <[email protected]> >>>>> wrote: >>>>>> This: >>>>>> [root@ossec02 logs]# md5sum /var/ossec/etc/shared/agent.conf >>>>>> 55188a008ab5daf74988aaf585e56f64 /var/ossec/etc/shared/agent.conf >>>>>> >>>>> >>>>> So the agent.conf isn't being updated on the agent. >>>>> Check permissions of the files in etc/shared. Restart the agent if >>>>> necessary. >>>>> >>>> >>>> Incorrect, agent.conf is updated in the agents. For example in this agent: >>>> >>> >>> The example you posted earlier had a different md5. >>> Operating system: FreeBSD agent02.my.local 8.4-RELEASE-p.. >>> Client version: OSSEC HIDS v2.7.1 / 22265c7a2bc1bb714d9376189b4b9ddd >> >> Correct.. It is the correct md5sum before I have modified agent.conf >> to test the active response ... >> >>> >>> >>>> [root@ossec02 alerts]# agent_control -i 002 >>>> >>>> OSSEC HIDS agent_control. Agent information: >>>> Agent ID: 002 >>>> Agent Name: agent02.adsi.intranet.local >>>> IP address: 10.196.0.104 >>>> Status: Active >>>> >>>> Operating system: FreeBSD agent02.adsi.intranet.local 8.4-RELEASE-p.. >>>> Client version: OSSEC HIDS v2.7.1 / >>>> 55188a008ab5daf74988aaf585e56f64 >>>> Last keep alive: Tue Nov 26 14:35:11 2013 >>>> >>>> Syscheck last started at: Tue Nov 26 04:01:49 2013 >>>> Rootcheck last started at: Tue Nov 26 04:00:42 2013 >>>> >>>> but the server has not given the order to restart. >>>> >>> >>> I'm not going to mention this again: Verify that the alert was triggered. >>> >> >> Ok, forcing a syscheck in this agent: >> >> [root@nsm02 shared]# agent_control -r -u 002 >> >> OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 002 >> >> Actual md5sum in ossec server: >> >> [root@plzfnsm02 shared]# md5sum agent.conf >> 22265c7a2bc1bb714d9376189b4b9ddd agent.conf >> >> (I've restored previous configuration to do this test) >> >> Actual md5sum in the agent: >> >> root@agent02:/var/ossec/etc/shared # md5 agent.conf >> MD5 (agent.conf) = 55188a008ab5daf74988aaf585e56f64 >> >> Until here, all it is ok because agent.conf is not updated in the agent side >> ... >> >> I will check later when the agent.conf is modified in the agent ... >> >> Correct?? >> > > Correct. Make sure the alert is triggered. If the alert doesn't > trigger, it makes sense that the AR isn't firing. > >> --
Ok, only works if I put the following entry under syscheck section: <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/var/ossec/etc/shared</directories> but for freebsd agents it doesn't works because freebsd doesn't supports inotify ... Any idea?? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
