On Thu, Mar 29, 2018, 5:08 PM Neeraj Shah <[email protected]> wrote:
> Hi Dan, > > Thanks for the reply. On the OSSEC server, i see the below message in the > log : > > *2018/03/29 20:55:10 ossec-remoted: DEBUG Sending file 'merged.mg > <http://merged.mg>' to agent. * > > However the merged.mg didn't make it or get created on the client side at > all. The OSSEC server that comes with Security Onion is on 2.8.x while my > client agent is on v 2.9.2 . Can that be an issue ? > It's possible, I don't check backwards compatibility very much, or windows stuff really. > > Sorry for the duplicate threads regards this error. Please delete the > other ones. > > > On Thursday, March 29, 2018 at 4:56:05 PM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Thu, Mar 29, 2018, 4:44 PM Neeraj Shah <[email protected]> wrote: >> >>> Hello All, >>> >>> Need some help. I am trying out ossec with Security Onion. The ossec >>> server comes preinstalled in Security Onion. I am now trying the agent >>> piece. I installed the v2.9.2 latest version agent on one of my Windows >>> client pc's, did the initial config and restarted the agent. From the >>> ossec server, the agent ID shows connected. So far so good. >>> >>> I then created the "/var/ossec/etc/shared/agent.conf" on the server, >>> put in a stanza for "os=windows" , saved the file and restarted the ossec >>> server. After waiting for a while, I checked the client PC & the agent.conf >>> didn't get created / deployed to the client. Infact, the agent logs on >>> client were showing this error message" XML Error /shared/agent.conf not >>> found" >>> >>> So i then went ahead and created the agent.conf manually on my client >>> and restarted the service again. The above XML error didn't show up this >>> time but even after waiting for 15 mins or so, the agent.conf is empty. It >>> is not downloading / syncing the changes from the agent.conf that's on the >>> ossec server. >>> >>> what could the reason be ? Any help appreciated >>> ================================================= >>> >>> Here is the result of md5check command: >>> >>> sudo /var/ossec/bin/agent_control -i 001 >>> >>> OSSEC HIDS agent_control. Agent information: >>> Agent ID: 001 >>> Agent Name: ENGG-WKS >>> IP address: 172.16.3.10 >>> Status: Active >>> >>> Operating system: Microsoft Windows 7 Business Edition >>> Professional Se.. >>> Client version: OSSEC HIDS v2.9.2 / >>> d41d8cd98f00b204e9800998ecf8427e >>> Last keep alive: Thu Mar 29 20:20:40 2018 >>> >>> root@securityonion:# md5sum /var/ossec/etc/shared/agent.conf >>> 9e4fb5a9b0ea944c19cedab71e860b54 /var/ossec/etc/shared/agent.conf >>> >>> Both checksums are different. >>> >> >> >> Check the permissions and ownership of the agent.conf on the agent. Check >> for the contents of agent.conf in the merged.mg on the agent. Try the >> 2.9.4 branch, I might have included a fix for this. >> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
