Something I forgot to put in the original email, this is an RHEL7 VM, Linux xxxxxx.xxxxxx.unm.edu 3.10.0-693.2.2.el7.x86_64 #1 SMP Sat Sep 9 03:55:24 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
On Wednesday, September 27, 2017 at 6:41:01 AM UTC-6, dan (ddpbsd) wrote: > > On Tue, Sep 26, 2017 at 1:41 PM, Oh Ar <[email protected]> wrote: > > When I try to start the agent, I get a message that the logcollector > module > > has failed. > > > > 2017/09/22 14:52:01 ossec-logcollector: Remote commands are not accepted > > from the manager. Ignoring it on the agent.conf > > 2017/09/22 14:52:01 ossec-logcollector(1202): ERROR: Configuration error > at > > '/var/ossec/ossec-agent/etc/shared/agent.conf'. Exiting. > > > > This only happens when I have commands in the localfile section of the > > agent.conf file, i.e.: > > > > > > > > <localfile> > > <log_format>full_command</log_format> > > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | > sort</command> > > <frequency>360</frequency> > > </localfile> > > > > > > When I take these out of the agent.conf file, the error goes away, but > from > > reading the manual, it seems like I should be able to run these > commands. > > > > Did you set "logcollector.remote_commands" to 1 in agent's > "ossec/etc/local_internal_options.conf"? If this is set to 0 (the > default), remote commands are not accepted by the agent. > That solved the problem. It seems odd that the default settings cause errors, but, oh well. > > Another problem I'm having is that when I try to restart the agent, I > get > > the following set of messages: > > > > 2017/09/22 14:52:01 ossec-syscheckd: WARN: Syscheck disabled. > > 2017/09/22 14:52:01 rootcheck: Rootcheck disabled. Exiting. > > 2017/09/22 14:52:01 ossec-syscheckd: WARN: Rootcheck module disabled. > > > > And I haven't had any luck with Google to find a solution. Every hit for > > that phrase I've come up with has been for people who want to turn > syscheck > > off, not people who were having trouble turning it on. > > > > Do you have any <directories> defined in the agent's ossec.conf? I > can't think of any other way to disable syscheck. > Actually, I found that there is an option for turning rootcheck and syscheck off, which was set to do so. Again, weird default behaviour. But from the way <directories> sounds, would I be correct in guessing that if I don't configure those, I won't actually be rootchecking or syschecking anything? Do you have any documentation that says how to configure it? The page on ossec.conf doesn't mention a directories option. > > Lastly, I'm getting an email from the system every hour that has > messages > > from every few seconds of the format: > > OSSEC HIDS Notification. > > 2017 Sep 22 14:41:01 > > > > Received From: (avtest) > > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) > > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 > > Rule: 503 fired (level 3) -> "Ossec agent started." > > Portion of the log(s): > > > > ossec: Agent started: 'avtest->10.234.199.51'. > > > > > > > > --END OF NOTIFICATION > > > > I don't know why it's telling me that the agent has started every 5 > seconds > > or so, unless the agent is restarting every 5 seconds or so. And if the > > agent is restarting every 5 seconds or so, I want to make it *stop*. :D > > > > Never seen that issue, you can check the agent's ossec.log for clues > as to what is happening. > Sadly, no clues there. If it really is restarting every 5 seconds, it's not logging it. So, where is the log that the emails are generated from? :) Thanks in advance, -Sandro -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
