On Mon, Aug 17, 2020 at 10:42 PM Daniel Gerep wrote:
>
> Hi all,
>
> I am starting to use OSSEC so I may be doing something wrong here.
>
> I have OSSEC installed as a server in my Linux VM and the Agent in my Windows
> Server 2012 VM.
>
> My server has the default configuration plus this:
>
>
> ossec-slack
> ossec-slack.sh
>
> no
>
>
>
> no
> ossec-slack
> local
> 3
>
>
>
> secure
>
>
> In my Server, using the agent_control I can see my agent is active
>
> [root@gateway1-proxy bin]# ./agent_control -l
>
> OSSEC HIDS agent_control. List of available agents:
> ID: 000, Name: gateway1-proxy (server), IP: 127.0.0.1, Active/Local
> ID: 001, Name: clearing-optimizer, IP: XX.XX.X.X, Active
>
> With that, I believe my server and agent are communicating as expected.
>
You can look for alerts for log messages sent by the agent in
/var/ossec/logs/alerts/alerts.log on the server.
If there aren't any, turning on the log all option and checking
archives.log would be my next step.
> In my server's log, I have a lot of:
>
> 2020/08/17 19:25:18 ossec-remoted: WARN: Duplicate error: global: 22, local:
> 7947, saved global: 22, saved local:7948
> 2020/08/17 19:25:18 ossec-remoted(1407): ERROR: Duplicated counter for
> 'clearing-optimizer'.
>
> I have found an old post here in this group and applied the suggestion but
> the same error appears again after a while. I have also tried removing the
> agent and adding again, with a different ID and name but again, after a
> while, the error appears.
>
I'm not sure why that would be happening over and over, but you might
have to disable rids support entirely (set remoted.verify_msg_id=0 in
/var/ossec/etc/local_internal_options.conf).
> In my agent, I have the default configuration plus this:
>
>
> no
> server
> 3
>
>
> So, in my understanding, this is sending any active-response event to the
> server, is that correct?
>
That's not how it works.
The agent monitors its own log files. When a new entry is written, the
agent sends the log message to the server.
The server then decodes the log message and compares it to its set of
rules. If a rule is triggered, an alert is created.
If that alert triggers an active response, the server sends a message
to the configured active response location.
In the case of the slack script, I believe it's run locally on the
server (it's been a long time since I looked at the script).
> Also, another question, is there a way to trigger an event in my agent
> (Windows) so I can check if the server is receiving the notification
> correctly?
>
Fail to login a few times would trigger a log message. These log
messages should trigger alerts on the ossec server for that agent.
> Thank you.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/010078f3-af73-4b7d-ba9c-88bf1f1694b0n%40googlegroups.com.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/CAMyQvMp8bWDvO_oQy1TiP%3DOvq2Ax6uUAKpisCfXSzmd3EMORzg%40mail.gmail.com.
