Re: [ossec-list] Re: ar.conf is not getting updated on the agents

Fri, 27 Aug 2010 07:52:34 -0700 

On Fri, Aug 27, 2010 at 10:24 AM, blacklight <vphu...@yahoo.com> wrote:
> Will updating the OSSEC server to 2.4 solve anything? Yes, the server
> is on 2.1 right now but I am experiencing the issue even when the
> agent is on 2.1
>
>

It's hard to tell if it will actually fix that problem or not. It's
just not recommended to use an over 1 year old (3 releases behind)
version for the server with agents are using newer versions. The
backwards compatibility is for newer servers with older agents, not
the other way around.

Are any of the agents getting updated properly?
Anything in the logs on the agents or the server that might be useful?
Have you tried running the appropriate daemons in debug mode (-d
flag)?

One thing that confuses me in your email is the following:
> [r...@wiggum shared]# ls -l .svn
> total 36
> -r-xr-x--- 1 root ossec  104 Mar  6  2009 dir-wcprops
> -r-xr-x--- 1 root ossec    0 Mar  6  2009 empty-file
> -r--r--r-- 1 root root  3155 Jan 22  2010 entries
> -r-xr-x--- 1 root ossec    2 Mar  6  2009 format
> dr-xr-x--- 2 root ossec 4096 Mar  6  2009 prop-base
> dr-xr-x--- 2 root ossec 4096 Mar  6  2009 props
> -r-xr-x--- 1 root ossec  118 Mar  6  2009 README.txt
> dr-xr-x--- 2 root ossec 4096 Jan 22  2010 text-base
> dr-xr-x--- 6 root ossec 4096 Jan 22  2010 tmp
> dr-xr-x--- 2 root ossec 4096 Jan 22  2010 wcprops
>
>
> Here are the current contents of the .svn file:
>
> [r...@mercury shared]# ls -l -svn
> total 180
> 0 -rwxrwx--- 1   0 502     0 Sep  2  2009 -svn
> 4 -rwxrwx--- 1   0 502  3764 Aug 25 11:26 agent.conf
> 4 -rwxrwx--- 1   0 502   111 Jul 16  2009 ar.conf
> 12 -rwxrwx--- 1   0 502  9487 Aug 25 11:26 cis_debian_linux_rcl.txt
> 8 -rwxrwx--- 1   0 502  8184 Aug 25 11:26 cis_rhel5_linux_rcl.txt
> 16 -rwxrwx--- 1   0 502 14241 Aug 25 11:26 cis_rhel_linux_rcl.txt
> 84 -rw-r--r-- 1 502 502 77829 Aug 25 11:26 merged.mg
> 16 -rwxrwx--- 1   0 502 14925 Aug 25 11:26 rootkit_files.txt
> 8 -rwxrwx--- 1   0 502  5307 Jun  3  2009 rootkit_trojans.txt
> 8 -rwxrwx--- 1   0 502  7975 Aug 25 11:26 system_audit_rcl.txt
> 8 -rwxrwx--- 1   0 502  4676 Aug 25 11:26 win_applications_rcl.txt
> 4 -rwxrwx--- 1   0 502  3853 Aug 25 11:26 win_audit_rcl.txt
> 8 -rwxrwx--- 1   0 502  4923 Aug 25 11:26 win_malware_rcl.txt
>
>
> Clearly, OSSEC does not do a good job of replicating hidden
> directories.

Can you provide the output of 'ls -l /var/ossec/etc/shared/.svn' on mercury?

Thanks,
dan

Reply via email to