I managed to resolve this issue in the end by removing OSSEC on the client and re-installing and then re-adding the key.
I've no idea what happened but I'm guessing something got messed up. Thanks again for your support! On Monday, 31 October 2016 09:38:26 UTC, Pedro S wrote: > > Hi, > > I am sorry Mitchell but I can't think about what is happening there, it > seems related to the transfer like you said, next step you need will be > inserting some debug control messages to figure out what is happening. > > - When generating the files: client-agent/notify.c > <https://github.com/wazuh/ossec-wazuh/blob/1b6de44e9dc70fb056f804ebac58cabd9a357912/src/client-agent/notify.c#L54> > - Receiving and merging: receiver.c > <https://github.com/wazuh/ossec-wazuh/blob/1b6de44e9dc70fb056f804ebac58cabd9a357912/src/client-agent/receiver.c#L124-L204> > > So the point is, the line failing on your Agent is: strcmp(currently_md5, > file_sum), which compares MD5 sums of two strings, I am thinking about some > compatibility issue on FreeBSD and MD5 sums but I am not sure. > > Regards, > Pedro S. > > On Sat, Oct 29, 2016 at 1:37 PM, S <[email protected] <javascript:>> > wrote: > >> I did some more testing and simplified the setup. >> >> On the agent: >> + I completed cleared the etc/shared directory of all files >> + I checked the permissions allowed ossec to write to that directory >> >> On the server: >> + I checked the permissions of the etc/shared directory to ensure the >> server could read them. >> + I deleted the merged.mg and agent.conf file >> + I recreated a blank agent.conf file >> >> When I restart both the server and the agent I see: >> >> On the server: >> + The merged.mg file is created and has a filesize > 0 >> + The log message states: "DEBUG Sending file 'merged.mg' to agent" >> >> On the agent: >> + The merged.mg file appears with a filesize of 0 >> + The merged.mg file then disappears a couple of seconds later. The >> filesize remains at 0 bytes. >> + There are no messages in the log pertaining to the file - even in >> debug mode. >> >> >> So to me it seems like the file transfer of the merged.mg file is >> failing. >> >> Are there any common causes of this? >> >> Does the file transfer happen on a port other than 1514, 445 or 139? >> >> On Wednesday, 26 October 2016 19:11:39 UTC+1, Sean Mitchell wrote: >>> >>> Thanks for your response. >>> >>> The only content in the folder is the *rcl.txt files, the rootkit files, >>> agent.conf and ar.conf. They are all readable by the ossec group. >>> >>> I have a similar set of files on the agent. >>> >>> I do have the "ossec-remoted: DEBUG Sending file 'merged.mg' to agent." >>> log message in the manager logs. >>> >>> Is there anything else I can try? >>> >>> On Wednesday, 26 October 2016 12:23:38 UTC+1, Pedro S wrote: >>>> >>>> Hi Sean, >>>> >>>> OSSEC compress the whole /var/ossec/etc/shared directory, including the >>>> agent.conf and push everything (merged.mg) to the agents. Sometimes if >>>> you have something not entirely readable on that folder the push fails, >>>> what content do you have in shared folder? >>>> >>>> Everytime a file is sent to the agent (in this case, merged.mg) a SUM >>>> hash is sent on the package to verify that the received file has the same >>>> MD5 than it had on the Manager, I think that check is the one failing on >>>> your environment >>>> >>>> Do you have the output "Sending file 'filename' to agent." on your >>>> Manager log? (Requires debug). >>>> >>>> >>>> Best regards, >>>> >>>> Pedro S. >>>> >>>> >>>> >>>> On Tue, Oct 25, 2016 at 11:27 PM, Sean Mitchell <[email protected]> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I've just set up a simple Alienvault server -> FreeBSD 10.3 OSSEC >>>>> agent. I'm using OSSEC v2.8 on both machines. >>>>> >>>>> I've created a blank agent.conf for testing and enabled debug logging >>>>> and every time I restart the agent and it tries to receive the agent.conf >>>>> I >>>>> get this error message on the agent. >>>>> >>>>> ossec-agentd: ERROR: Failed md5 for: /etc/shared/merged.mg -- >>>>> deleting. >>>>> >>>>> No matter what I try, the agent.conf never shows up on the agent. I've >>>>> ensured all the permissions are set accordingly and I can even see the >>>>> merged.mg file briefly in the directory before it gets deleted. >>>>> >>>>> I've tired numerous agent.conf's on the server to be pushed and none >>>>> seem to work - weirdly the blank config doesn't work either. >>>>> >>>>> Any ideas as to what to try? >>>>> >>>>> Thanks. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
