Hi again Colin, Sounds like I didn’t really get you any further forwards than you’d already managed for yourself. I’ve never tried playing with the client side “manage_agents” to be honest. I’ll have to give it a whirl and see how it goes. But I suppose even if I can get it working then it’s just going to replace a scripted file copy with a scripted “manage_agents –i” – swings and roundabouts maybe – but at least it’s another option, another tool in the kit.
It’s always interesting to see how people get OSSEC to work for them in such a wide range of environments, finding imaginative ways around obstacles. I’ll let you know how I get on with that “manage_agents –i” when I get a chance to try ☺ Chris -- Chris Tweed From: [email protected] [mailto:[email protected]] On Behalf Of Colin Bruce Sent: 26 November 2014 14:08 To: [email protected] Subject: [ossec-list] RE: manage_agent fails again Dear Chris, Thanks for the suggestions. I have done something similar but had major problems importing the key. I think the problem with manage_agents is that the –I option should be followed by the key and not an ID as shown in the help text. However, that is just a guess as I needed to get something working last night. I did what you suggested and just grep’d for the servers address in the key files and copied that over to the client. At the moment my problem is getting windows servers going so I’ve created a batch file that installs and configures ossec on a windows server. I can’t use powershell as some of the servers are pretty elderly and are running Windows 2003R2. They can’t be upgraded or replaced because the application that is running on them won’t run (in fact it won’t even install) on anything newer☹ Anyway, thanks again for your help. Best wishes…. Colin From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Chris Tweed Sent: 26 November 2014 09:29 To: '[email protected]' Subject: [ossec-list] RE: manage_agent fails again Hi Colin, What we’ve done is script it all. We have around 600 OSSEC agents in nearly as many remote locations. We grep the individual agent keys out of client.keys on the server. This is then copied to a location visible to the agent machines and renamed to reflect the name of the individual agent machines. We then have a script which copies over the OSSEC Windows agent installer, runs it in silent mode then copies the ossec.conf and the key file over. The script knows which key file to pick up by referring to the agent machine name and our ossec.conf is fortunately identical on each of the agent machines. The key file is then renamed back to client.keys on the agent machine. The script finally does a stop / start of the ossecsvc service. Something like the following is used to extract the individual key files (we’re running OSSEC under Ubuntu server) :- sudo grep {agent_name} /var/ossec/etc/client.keys > ~/keys/agent_name.keys The above could be scripted I’m sure, but we’ve had all this up and running for nearly 5 years now so we only have to take care of a few new key files at a time as new agent machines are rolled out. Hope that might help a bit? Chris -- Chris Tweed From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Colin Bruce Sent: 25 November 2014 17:17 To: [email protected]<mailto:[email protected]> Subject: [ossec-list] manage_agent fails again Is there any way on Windows to install the agent’s key without using the GUI and cutting and pasting the key into it. Manage_agents –I should do the import but it doesn’t work. It doesn’t read from the command line, it doesn’t read the shell variable and it doesn’t prompt for a key. Cutting and pasting is no use when there are hundreds of servers to install. Best wishes… Colin -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. [Image removed by sender. BBC Children in Need]<http://www.shoezone.com/Offers/BBC-Children-in-Need> P Please consider the environment before printing this email CONFIDENTIALITY NOTICE This E-Mail contains information which is confidential and privileged. If you have received this E-Mail in error, please telephone us immediately on +44 116 2223000. Where opinions are expressed they are not necessarily those of Shoe Zone Retail Ltd. Shoe Zone Retail Ltd Registered Office : Haramead Business Centre, Humberstone Road, Leicester LE1 2LH Registered in England Number 148038 -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
