[ossec-list] Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3

Tue, 05 Apr 2016 09:33:06 -0700 

I would like to also mention that i have been receiving this errors from my 
linux agent : 

2016/04/05 11:45:04 ossec-config: Remote commands are not accepted from the 
manager. Ignoring it on the agent.conf
2016/04/05 11:45:04 ossec-config(1202): ERROR: Configuration error at 
'/var/ossec/etc/shared/agent.conf'. Exiting.
Started ossec-logcollector...
2016/04/05 11:45:04 ossec-config(1756): ERROR: Duplicated directory given: 
'/etc'.
2016/04/05 11:45:04 ossec-config(1756): ERROR: Duplicated directory given: 
'/bin'.

Here is my file of Agent.conf




On Tuesday, April 5, 2016 at 9:21:18 AM UTC-4, Alexandre LAQUERRE wrote:
>
> Hi,
>
>  
>
> I have been using Ossec for quite a while and we decided to upgrade the 
> version (2.7.1) to 2.8.3 and that was relatively successful except for the 
> fact that it pulled a number on my Ossec.conf by creating indent problems 
> and adding open brackets in the wrong area but anyway it works. My issue is 
> that for the moment our client will not update the OSSEC agents and wish to 
> keep the 2.7.1 , I have not seen any documentation that would indicate a 
> compatibility issue however I noticed that no matter what I do , the agents 
> will end up disconnecting. They will start out all active and then after 20 
> minutes or so they will all be disconnected except for a small minority. 
>
>  
>
> When I performed the install I have set the maximum number of agents to 
> 4096 because the client has about … I would say close to 3000 agents, 
> furthermore the installation did go well however I suspect that the 
> agent.conf file in the shared folder got messed up due to this update being 
> very significant. I have been working on this issue for at least three days 
> and I am no longer certain where to look.
>
>  
>
> I would like to specify that I have already tried to erase the RIDS while 
> Ossec Is stop (server) and when I start it back up again the same issue 
> occurs. Now I am hoping the solution will not be to erase the rids from the 
> client as it would be a long process for our customer.
>
>  
>
> Thank you,
>
>  
>
> Alexandre Laquerre
>
> Analyste Sécurité
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

<agent_config os="Windows">
  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>72000</frequency>

            <!-- Default files to be monitored - system32 only. -->
    <directories check_all="yes">C:\Program 
Files/SplunkUniversalForwarder/etc/system/local</directories>
    <directories check_all="yes">%WINDIR%/win.ini</directories>
    <directories check_all="yes">%WINDIR%/system.ini</directories>
    <directories check_all="yes">C:\autoexec.bat</directories>
    <directories check_all="yes">C:\config.sys</directories>
    <directories check_all="yes">C:\boot.ini</directories>
    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
    <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
    <directories 
check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
    <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
    <directories check_all="yes" realtime="yes">C:\Documents and Settings/All 
Users/Start Menu/Programs/Startup</directories>
    <directories check_all="yes" realtime="yes">C:\Users/Public/All 
Users/Microsoft/Windows/Start Menu/Startup</directories>
    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

        <!-- Windows registry entries to monitor. -->
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet 
Explorer</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session 
Manager\KnownDLLs</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
    
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\Windows</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 
NT\CurrentVersion\Winlogon</windows_registry>
    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active 
Setup\Installed Components</windows_registry>



    <!-- Windows registry entries to ignore. -->
    
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
    
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
    <registry_ignore type="sregex">\Enum$</registry_ignore>


    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  </syscheck>

</agent_config>

<agent_config os="Linux">
  
  <syscheck>    

    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>72000</frequency>
  
  <!-- Files to monitor (localfiles) -->

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

  </syscheck>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

  <localfile>
    <log_format>command</log_format>
    <command>df -h</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 5</command>
  </localfile>
</agent_config>

<agent_config>
   <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>
</agent_config>

Reply via email to