Hi ehollis3942, Do you have salt enabled? If so, could it be replicating a blank agent.conf from your Security Onion master server to your Security Onion sensor?
On Wed, Feb 1, 2017 at 1:19 PM, <[email protected]> wrote: > Our OSSEC server is running the newest version of Security Onion which has > it built in > > On Wednesday, February 1, 2017 at 1:15:16 PM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Feb 1, 2017 at 1:12 PM, <[email protected]> wrote: >> > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having >> > content back to being blank a number of times here without having any >> > interaction on the server. Has anyone else experienced this? >> > >> >> Did you install OSSEC from source, or from a package? >> >> > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Wed, Feb 1, 2017 at 12:25 PM, <[email protected]> wrote: >> >> > Hello All, >> >> > >> >> > I am currently working on a central ossec.conf file which contains >> >> > our >> >> > Windows and Linux configurations for all clients. Here are a few >> >> > background >> >> > details: >> >> > >> >> > 1. We currently only have a few Linux deployments and roughly 6 >> >> > Windows >> >> > deployments as a POC >> >> > 2. All clients have a custom config, specific to Windows or Linux >> >> > >> >> > Now, I'd like to manage clients going forward with a central config >> >> > file >> >> > using agent.conf within /var/ossec/etc/shared. I've followed these >> >> > steps: >> >> > >> >> > 1.Created an agent.conf file, and ran verify-agent-conf without any >> >> > issues. >> >> > 2. Ran MD5SUM against the agent.conf and noted hash >> >> > 3. Ran agent-control -R <ID> against a few clients >> >> > 4. Ran agent-control -i <ID> and verified that the MD5 changed to >> >> > match >> >> > the >> >> > agent.conf hash >> >> > 5. I review the agent.conf file on a Windows client that had updated >> >> > and >> >> > it >> >> > is blank >> >> > 6. I review the merged.mg file on the same client and I do see within >> >> > the >> >> > file that the custom agent.conf from the server is present >> >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that >> >> > it >> >> > is >> >> > completely blank with a different MD5 >> >> > >> >> > Can anyone explain why the agent.conf on the server would have the >> >> > content >> >> > removed? My guess is that if the client doesn't have this info in the >> >> > agent.conf that it is only reading their local ossec.conf file? >> >> > >> >> > As a side note, do I need to re-deploy a new ossec.conf to clients >> >> > out >> >> > there >> >> > with only the server IP configuration or will OSSEC merge the config >> >> > with >> >> > the agent.conf on the server? >> >> > >> >> >> >> There shouldn't be anything in ossec that will blank the agent.conf on >> >> the server. >> >> If there is no agent.conf, the agent will use the ossec.conf. >> >> The running configuration merges the ossec.conf and agent.conf. >> >> >> >> > Thanks all for the help! >> >> > >> >> > Eric >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- Doug Burks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
