Now on agent i see next ossec-agentd(1214): WARN: Problem receiving message from OSSEC SERVER IP ADDRESS But it's active in list of agents
пятница, 17 июля 2015 г., 16:21:33 UTC+3 пользователь dan (ddpbsd) написал: > > > On Jul 17, 2015 9:18 AM, "Oleg Makarov" <[email protected] > <javascript:>> wrote: > > > > /var/ossec/bin/agent_control -i 030 > > > > OSSEC HIDS agent_control. Agent information: > > Agent ID: 030 > > Agent Name: ewqeqw > > IP address: 192.168.x.x > > Status: Active > > > > Operating system: Linux 3.2.0-4-amd64 #1 SMP Debian > 3.2.65-1+deb7u.. > > Client version: OSSEC HIDS v2.8 / > 9144d8b51e627a498cde8eeb8dac2c88 > > Last keep alive: Fri Jul 17 15:57:56 2015 > > > > Syscheck last started at: Fri Jul 17 15:34:48 2015 > > Rootcheck last started at: Fri Jul 17 15:59:33 2015 > > > > Now I'm testing with central agent conf: > > <agent_config> > > <syscheck> > > <frequency>600</frequency> > > <directories report_changes="yes" check_all="yes" > realtime="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories report_changes="yes" check_all="yes" > realtime="yes">/bin,/sbin</directories> > > <directories report_changes="yes" check_all="yes" > realtime="yes">/usr/local/sbin</directories> > > <directories report_changes="yes" check_all="yes" > realtime="yes">/usr/local/bin</directories> > > </syscheck> > > </agent_config> > > > > And still nothing, i check md5sum /var/ossec/etc/shared/agent.conf > > 179aa16e2a4830f4d60afe9b2325e956 /var/ossec/etc/shared/agent.conf > > But as you can see, the agent dont receive it (I restart agent) > > Dont know what to do... > > > > It can take some time for the agent.conf to get pushed to the agents. But > if you're having problems with the normal setup, I imagine you'll continue > to have the problems with the agent.conf. > Double check your alerts.log file for syscheck alerts related to the > sshd_config file. > > > пятница, 17 июля 2015 г., 15:54:13 UTC+3 пользователь dan (ddpbsd) > написал: > >> > >> > >> On Jul 17, 2015 8:51 AM, "Oleg Makarov" <[email protected]> wrote: > >> > > >> > Yep, its active. > >> > I dont see anything in /var/ossec/queue/syscheck :( > >> > > >> > >> Did you check on the manager? I apologize for not being more specific > initially, but that info is stored on the manager. > >> > >> > I also try to change frequency to 600 seconds, but still the same :( > >> > > >> > >> That's still very low for checking 2 hashes for every file in the > configured directories. > >> > >> > пятница, 17 июля 2015 г., 15:28:16 UTC+3 пользователь dan (ddpbsd) > написал: > >> >> > >> >> > >> >> On Jul 17, 2015 6:26 AM, "Oleg Makarov" <[email protected]> > wrote: > >> >> > > >> >> > Hello everyone! > >> >> > I'm a newbie in ossec and I need some help. > >> >> > I have an ossec manager and 20+ ossec agents. > >> >> > On manager i have next conf: http://pastebin.com/4LTYNmYH > >> >> > On agent i have next conf: http://pastebin.com/RzN5p6Zf > >> >> > I want to see how i change /etc/ssh/sshd_config on one of my > agents, I made some changes, but there are no alerts on my email. > >> >> > What am I do wrong? > >> >> > Thanks! > >> >> > > >> >> > >> >> Is the agent connected to the manager? > >> >> Is the entry in the ayscheck db updated (/var/ossec/queue/syscheck)? > >> >> > >> >> The frequency seems very low on the agent. I haven't seen much > success with very low frequencies. > >> >> > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > >> >> > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > >> > > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
