Hi All, Any help is appreciated. thanks in advance.
I have the ossec installation 2.9 as a manage server and with agent all works fine but facing difficulties with agentless in AIX 7. below are my details. ossec.config <agentless> > <type>ssh_generic_diff</type> > <frequency>5</frequency> > <host>[email protected]</host> > <state>periodic</state> > <arguments>/etc /usr/bin /usr/sbin /var/ossec/etc/ /var/ossec/bin/ > /bin /sbin /boot</arguments> > </agentless> > output for the ossec.log 2017/11/16 21:57:33 ossec-agentlessd: INFO: ssh_generic_diff: [email protected]: > Started. > 2017/11/16 21:57:33 ossec-agentlessd: INFO: ssh_generic_diff: > [email protected]: Starting. > 2017/11/16 21:57:33 ossec-agentlessd: INFO: ssh_generic_diff: > [email protected]: Finished. > but nothing happens. and if i try to do manual testing i get the following errors. i am using NOPASS authenticating with rsa keys. and i can login with ssh without any difficulties using the command ssh user@IP Running the following command to test sudo -u ossec expect -d agentless/ssh_generic_diff [email protected] /home > OUTPUT: expect version 5.45 > argv[0] = expect argv[1] = -d argv[2] = agentless/ssh_generic_diff > argv[3] = [email protected] argv[4] = /home > set argc 2 > set argv0 "agentless/ssh_generic_diff" > set argv "[email protected] /home" > executing commands from command file agentless/ssh_generic_diff > spawn ssh [email protected] > parent: waiting for sync byte > parent: telling child to go ahead > parent: now unsynchronized from child > spawn: returns {36725} > > expect: does "" (spawn_id exp6) match glob pattern "WARNING: REMOTE HOST"? > no > "*sure you want to continue connecting*"? no > "ssh: connect to host*"? no > "no address associated with name"? no > "*Connection refused*"? no > "*Connection closed by remote host*"? no > "* password:*"? no > "*\$"? no > "*#"? no > Last unsuccessful login: Thu Nov 16 05:38:01 CST 2017 on ssh from > 10.1.36.156 > Last login: Thu Nov 16 10:59:14 CST 2017 on /dev/pts/2 from ldc-ossec-fim > > expect: does "Last unsuccessful login: Thu Nov 16 05:38:01 CST 2017 on ssh > from 10.1.36.156\r\nLast login: Thu Nov 16 10:59:14 CST 2017 on /dev/pts/2 > from ldc-ossec-fim\r\n" (spawn_id exp6) match glob pattern "WARNING: REMOTE > HOST"? no > "*sure you want to continue connecting*"? no > "ssh: connect to host*"? no > "no address associated with name"? no > "*Connection refused*"? no > "*Connection closed by remote host*"? no > "* password:*"? no > "*\$"? no > "*#"? no > -bsh: PS1=osectest:$PWD>: > expect: does "Last unsuccessful login: Thu Nov 16 05:38:01 CST 2017 on ssh > from 10.1.36.156\r\nLast login: Thu Nov 16 10:59:14 CST 2017 on /dev/pts/2 > from ldc-ossec-fim\r\n-bsh: PS1=osectest:$PWD>: " (spawn_id exp6) match > glob pattern "WARNING: REMOTE HOST"? no > "*sure you want to continue connecting*"? no > "ssh: connect to host*"? no > "no address associated with name"? no > "*Connection refused*"? no > "*Connection closed by remote host*"? no > "* password:*"? no > "*\$"? yes > expect: set expect_out(0,string) "Last unsuccessful login: Thu Nov 16 > 05:38:01 CST 2017 on ssh from 10.1.36.156\r\nLast login: Thu Nov 16 > 10:59:14 CST 2017 on /dev/pts/2 from ldc-ossec-fim\r\n-bsh: PS1=osectest:$" > expect: set expect_out(spawn_id) "exp6" > expect: set expect_out(buffer) "Last unsuccessful login: Thu Nov 16 > 05:38:01 CST 2017 on ssh from 10.1.36.156\r\nLast login: Thu Nov 16 > 10:59:14 CST 2017 on /dev/pts/2 from ldc-ossec-fim\r\n-bsh: PS1=osectest:$" > > INFO: Started. > INFO: Starting. > > STORE: now > send: sending "/home\r" to { exp6 } > send: sending "exit\r" to { exp6 } > 0402-026 The specified data is not a valid identifier. > $ /home > exit > /home: 0402-021 Cannot run the command as specified. > $ Connection to 10.1.31.24 closed. > expect: read eof > expect: set expect_out(spawn_id) "exp6" > expect: set expect_out(buffer) "PWD>: 0402-026 The specified data is not a > valid identifier.\r\n$ /home\r\nexit\r\n/home: 0402-021 Cannot run the > command as specified.\r\n$ Connection to 10.1.31.24 closed.\r\r\n" > > INFO: Finished. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
