I have included ossec.conf of server and agent. Also the script command for active response when key word is detected in the agent log file. Thanks.
2016/03/14 17:00:41 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Started. 2016/03/14 17:00:45 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Starting. 2016/03/14 17:01:27 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Finished. 2016/03/14 17:01:28 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Started. 2016/03/14 17:01:28 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Starting. 2016/03/14 17:03:06 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Finished. 2016/03/14 17:24:27 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Started. 2016/03/14 17:24:27 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Starting. 2016/03/14 17:25:07 ossec-remoted(1320): ERROR: Agent 'ssh_integrity_check_linux' not found. 2016/03/14 17:25:13 ossec-remoted(1320): ERROR: Agent 'ssh_integrity_check_linux' not found. 2016/03/14 17:26:56 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Finished. 2016/03/14 17:26:57 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Started. 2016/03/14 17:26:57 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Starting. 2016/03/14 17:27:40 ossec-remoted(1320): ERROR: Agent 'ssh_integrity_check_linux' not found. 2016/03/14 17:27:48 ossec-remoted(1320): ERROR: Agent 'ssh_integrity_check_linux' not found. 2016/03/14 17:29:44 ossec-agentlessd: INFO: ssh_integrity_check_linux: [email protected]: Finished. Server OSSEC.conf <ossec_config> <global> <email_notification>no</email_notification> <email_to>[email protected]</email_to> <smtp_server>loalhost</smtp_server> <email_from>[email protected]</email_from> <stats>0</stats> </global> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> <!-- <include>syslog_rules.xml</include> --> <include>arpwatch_rules.xml</include> <include>symantec-av_rules.xml</include> <include>symantec-ws_rules.xml</include> <include>pix_rules.xml</include> <include>named_rules.xml</include> <include>smbd_rules.xml</include> <include>vsftpd_rules.xml</include> <include>pure-ftpd_rules.xml</include> <include>proftpd_rules.xml</include> <include>ms_ftpd_rules.xml</include> <include>ftpd_rules.xml</include> <include>hordeimp_rules.xml</include> <include>roundcube_rules.xml</include> <include>wordpress_rules.xml</include> <include>cimserver_rules.xml</include> <include>vpopmail_rules.xml</include> <include>vmpop3d_rules.xml</include> <include>courier_rules.xml</include> <include>web_rules.xml</include> <include>web_appsec_rules.xml</include> <include>apache_rules.xml</include> <include>nginx_rules.xml</include> <include>php_rules.xml</include> <include>mysql_rules.xml</include> <include>postgresql_rules.xml</include> <include>ids_rules.xml</include> <include>squid_rules.xml</include> <include>firewall_rules.xml</include> <include>cisco-ios_rules.xml</include> <include>netscreenfw_rules.xml</include> <include>sonicwall_rules.xml</include> <include>postfix_rules.xml</include> <include>sendmail_rules.xml</include> <include>imapd_rules.xml</include> <include>mailscanner_rules.xml</include> <include>dovecot_rules.xml</include> <include>ms-exchange_rules.xml</include> <include>racoon_rules.xml</include> <include>vpn_concentrator_rules.xml</include> <include>spamd_rules.xml</include> <include>msauth_rules.xml</include> <include>mcafee_av_rules.xml</include> <include>trend-osce_rules.xml</include> <include>ms-se_rules.xml</include> <!-- <include>policy_rules.xml</include> --> <include>zeus_rules.xml</include> <!-- <include>solaris_bsm_rules.xml</include> --> <include>vmware_rules.xml</include> <include>ms_dhcp_rules.xml</include> <include>asterisk_rules.xml</include> <include>ossec_rules.xml</include> <!-- <include>attack_rules.xml</include> --> <include>local_rules.xml</include> </rules> <syscheck> <!-- Frequency that syscheck is executed -- default every 20 hours --> <scan_on_start>no</scan_on_start> <frequency>72000</frequency> <auto_ignore>no</auto_ignore> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/var/log/maillog</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> </syscheck> <agentless> <type>ssh_integrity_check_linux</type> <frequency>60</frequency> <host>[email protected]</host> <state>periodic</state> <!-- <arguments>/etc /bin /sbin /sbss</arguments> --> <arguments>/etc/hosts</arguments> </agentless> <rootcheck> <disabled>no</disabled> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> </rootcheck> <global> <white_list>127.0.0.1</white_list> <white_list>192.168.2.190</white_list> <white_list>192.168.2.32</white_list> <white_list>192.168.2.10</white_list> </global> <remote> <connection>secure</connection> <allowed-ips>10.115.13.11</allowed-ips> </remote> <alerts> <log_alert_level>4</log_alert_level> <!-- <email_alert_level>10</email_alert_level> --> </alerts> <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>hostname</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>disable-account</name> <executable>disable-account.sh</executable> <expect>user</expect> <timeout_allowed>yes</timeout_allowed> </command> <!-- md5sum --> <command> <name>md5sum-check</name> <executable>md5-chk-reboot.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <!-- <!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>local</location> <level>6</level> <timeout>600</timeout> </active-response> --> <!-- this is md5sum --> <active-response> <command>md5sum-check</command> <location>server</location> <rules_id>100101</rules_id> </active-response> <!-- <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <!-- <localfile> <log_format>syslog</log_format> <location>/var/log/authlog</location> </localfile> --> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <!-- <localfile> <log_format>syslog</log_format> <location>/var/log/xferlog</location> </localfile> --> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <!-- <localfile> <log_format>apache</log_format> <location>/var/www/logs/access_log</location> </localfile> --> <!-- <localfile> <log_format>apache</log_format> <location>/var/www/logs/error_log</location> </localfile> --> --> ACtive Response command script (md5-chk-reboot.sh) to execute agentless file integrity check #!/bin/bash # # md5_chk_reboot.sh # IP=$3 echo "$IP" >> /tmp/date.out cp -p /home/admin/tools/agentless.conf-default /home/admin/tools/$IP.conf perl -p -i -e "s/IPADDR/$IP/" /home/admin/tools/$IP.conf /var/ossec/bin/ossec-agentlessd -c /home/admin/tools/$IP.conf # # get PID agPID=`ps -ef | grep $IP.conf | head -1 | awk '{print $2}'` sleep 300 kill -9 $agPID rm /home/admin/tools/$IP.conf Agent ossec.conf <!-- OSSEC example config --> <ossec_config> <client> <server-ip>10.115.13.16</server-ip> </client> <syscheck> <!-- Frequency that syscheck is executed -- default every 2 hours --> <frequency>7200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/var/log/maillog</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> <ignore>/etc/mail/statistics</ignore> <ignore>/etc/random-seed</ignore> <ignore>/etc/adjtime</ignore> <ignore>/etc/httpd/logs</ignore> <ignore>/etc/utmpx</ignore> <ignore>/etc/wtmpx</ignore> <ignore>/etc/cups/certs</ignore> </syscheck> <localfile> <log_format>syslog</log_format> <location>/auditlog/audit/auditlog.txt</location> </localfile> </ossec_config> On Sunday, March 13, 2016 at 6:02:53 PM UTC-4, Santiago Bassett wrote: > > > > On Fri, Mar 11, 2016 at 1:30 PM, Ben <[email protected] <javascript:>> > wrote: > >> Hi, >> >> I googled for the following error message and can not find anything, so I >> hope someone can help in this group. >> >> I am using agentless to do file integrity check using the >> ssh_integrity_check_linux script. Everything is working fine until I get >> the following messages many times. I only have one agent talking to server >> and hundreds of agentless devices.Why message is talking about remoted? >> >> 2016/03/10 12:55:45 ossec-remoted(1320): ERROR: Agent >> 'ssh_integrity_check_linux' not found. >> >> Not sure why, but it looks like remoted is trying to use > 'ssh_integrity_check_linux' on the agent. Could it be that you have it > configured as an active-response? Could you paste your configuration, both > of the manager and server? > > >> >> If the following error message appears, scans won't start anymore even >> though the defined frequency (every 12 hours) has passed, and I have to >> restart it again manually. >> >> >> 2016/03/11 09:34:52 ossec-agentlessd: ERROR: Too many failures for >> 'ssh_integrity_check_linux'. Ignoring it. >> > > > This is another issue. It seems that your agentless script is failing to > execute. What is your agentless configuration? How other agentlessd logs > look like in ossec.log? > > >> >> Anyone have encounter these? How to troubeshoot this? >> >> Thanks. >> Ben >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
