I did some more testing and simplified the setup.
On the agent:
+ I completed cleared the etc/shared directory of all files
+ I checked the permissions allowed ossec to write to that directory
On the server:
+ I checked the permissions of the etc/shared directory to ensure the
server could read them.
+ I deleted the merged.mg and agent.conf file
+ I recreated a blank agent.conf file
When I restart both the server and the agent I see:
On the server:
+ The merged.mg file is created and has a filesize > 0
+ The log message states: "DEBUG Sending file 'merged.mg' to agent"
On the agent:
+ The merged.mg file appears with a filesize of 0
+ The merged.mg file then disappears a couple of seconds later. The
filesize remains at 0 bytes.
+ There are no messages in the log pertaining to the file - even in
debug mode.
So to me it seems like the file transfer of the merged.mg file is failing.
Are there any common causes of this?
Does the file transfer happen on a port other than 1514, 445 or 139?
On Wednesday, 26 October 2016 19:11:39 UTC+1, Sean Mitchell wrote:
>
> Thanks for your response.
>
> The only content in the folder is the *rcl.txt files, the rootkit files,
> agent.conf and ar.conf. They are all readable by the ossec group.
>
> I have a similar set of files on the agent.
>
> I do have the "ossec-remoted: DEBUG Sending file 'merged.mg' to agent."
> log message in the manager logs.
>
> Is there anything else I can try?
>
> On Wednesday, 26 October 2016 12:23:38 UTC+1, Pedro S wrote:
>>
>> Hi Sean,
>>
>> OSSEC compress the whole /var/ossec/etc/shared directory, including the
>> agent.conf and push everything (merged.mg) to the agents. Sometimes if
>> you have something not entirely readable on that folder the push fails,
>> what content do you have in shared folder?
>>
>> Everytime a file is sent to the agent (in this case, merged.mg) a SUM
>> hash is sent on the package to verify that the received file has the same
>> MD5 than it had on the Manager, I think that check is the one failing on
>> your environment
>>
>> Do you have the output "Sending file 'filename' to agent." on your
>> Manager log? (Requires debug).
>>
>>
>> Best regards,
>>
>> Pedro S.
>>
>>
>>
>> On Tue, Oct 25, 2016 at 11:27 PM, Sean Mitchell <[email protected]>
>> wrote:
>>
>>> Hi all,
>>>
>>> I've just set up a simple Alienvault server -> FreeBSD 10.3 OSSEC agent.
>>> I'm using OSSEC v2.8 on both machines.
>>>
>>> I've created a blank agent.conf for testing and enabled debug logging
>>> and every time I restart the agent and it tries to receive the agent.conf I
>>> get this error message on the agent.
>>>
>>> ossec-agentd: ERROR: Failed md5 for: /etc/shared/merged.mg -- deleting.
>>>
>>> No matter what I try, the agent.conf never shows up on the agent. I've
>>> ensured all the permissions are set accordingly and I can even see the
>>> merged.mg file briefly in the directory before it gets deleted.
>>>
>>> I've tired numerous agent.conf's on the server to be pushed and none
>>> seem to work - weirdly the blank config doesn't work either.
>>>
>>> Any ideas as to what to try?
>>>
>>> Thanks.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
