On Jul 17, 2015 9:18 AM, "Oleg Makarov" <[email protected]> wrote: > > /var/ossec/bin/agent_control -i 030 > > OSSEC HIDS agent_control. Agent information: > Agent ID: 030 > Agent Name: ewqeqw > IP address: 192.168.x.x > Status: Active > > Operating system: Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u.. > Client version: OSSEC HIDS v2.8 / 9144d8b51e627a498cde8eeb8dac2c88 > Last keep alive: Fri Jul 17 15:57:56 2015 > > Syscheck last started at: Fri Jul 17 15:34:48 2015 > Rootcheck last started at: Fri Jul 17 15:59:33 2015 > > Now I'm testing with central agent conf: > <agent_config> > <syscheck> > <frequency>600</frequency> > <directories report_changes="yes" check_all="yes" realtime="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories report_changes="yes" check_all="yes" realtime="yes">/bin,/sbin</directories> > <directories report_changes="yes" check_all="yes" realtime="yes">/usr/local/sbin</directories> > <directories report_changes="yes" check_all="yes" realtime="yes">/usr/local/bin</directories> > </syscheck> > </agent_config> > > And still nothing, i check md5sum /var/ossec/etc/shared/agent.conf > 179aa16e2a4830f4d60afe9b2325e956 /var/ossec/etc/shared/agent.conf > But as you can see, the agent dont receive it (I restart agent) > Dont know what to do... >
It can take some time for the agent.conf to get pushed to the agents. But if you're having problems with the normal setup, I imagine you'll continue to have the problems with the agent.conf. Double check your alerts.log file for syscheck alerts related to the sshd_config file. > пятница, 17 июля 2015 г., 15:54:13 UTC+3 пользователь dan (ddpbsd) написал: >> >> >> On Jul 17, 2015 8:51 AM, "Oleg Makarov" <[email protected]> wrote: >> > >> > Yep, its active. >> > I dont see anything in /var/ossec/queue/syscheck :( >> > >> >> Did you check on the manager? I apologize for not being more specific initially, but that info is stored on the manager. >> >> > I also try to change frequency to 600 seconds, but still the same :( >> > >> >> That's still very low for checking 2 hashes for every file in the configured directories. >> >> > пятница, 17 июля 2015 г., 15:28:16 UTC+3 пользователь dan (ddpbsd) написал: >> >> >> >> >> >> On Jul 17, 2015 6:26 AM, "Oleg Makarov" <[email protected]> wrote: >> >> > >> >> > Hello everyone! >> >> > I'm a newbie in ossec and I need some help. >> >> > I have an ossec manager and 20+ ossec agents. >> >> > On manager i have next conf: http://pastebin.com/4LTYNmYH >> >> > On agent i have next conf: http://pastebin.com/RzN5p6Zf >> >> > I want to see how i change /etc/ssh/sshd_config on one of my agents, I made some changes, but there are no alerts on my email. >> >> > What am I do wrong? >> >> > Thanks! >> >> > >> >> >> >> Is the agent connected to the manager? >> >> Is the entry in the ayscheck db updated (/var/ossec/queue/syscheck)? >> >> >> >> The frequency seems very low on the agent. I haven't seen much success with very low frequencies. >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> >> >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> > >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
