I restarted the OSSEC server and the OSSEC agent 45 min ago. Here is the current listing for the shared directory on the OSSEC server:
[r...@wiggum shared]# ls -l total 180 -r--r----- 1 root ossec 3764 Apr 7 16:51 agent.conf -r--r--r-- 1 root ossec 203 Aug 27 15:04 ar.conf -r--r----- 1 root ossec 9487 Jul 10 2008 cis_debian_linux_rcl.txt -r--r----- 1 root ossec 8184 Feb 20 2009 cis_rhel5_linux_rcl.txt -r--r----- 1 root ossec 14241 Aug 28 2008 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossecr ossec 77829 Aug 27 15:04 merged.mg -r--r----- 1 root ossec 14925 Jan 29 2009 rootkit_files.txt -r--r----- 1 root ossec 5307 Jun 3 2009 rootkit_trojans.txt -r--r----- 1 root ossec 7975 Apr 14 2008 system_audit_rcl.txt -r--r----- 1 root ossec 4676 Aug 17 2007 win_applications_rcl.txt -r--r----- 1 root ossec 3853 Mar 26 2009 win_audit_rcl.txt -r--r----- 1 root ossec 4923 Jul 21 2008 win_malware_rcl.txt Here is the current listing for mercury's shared directory: [r...@mercury shared]# ls -l total 176 -rwxrwx--- 1 root ossec 3764 Aug 27 14:00 agent.conf -rwxrwx--- 1 root ossec 0 Aug 27 15:03 ar.conf -rwxrwx--- 1 root ossec 9487 Aug 27 14:00 cis_debian_linux_rcl.txt -rwxrwx--- 1 root ossec 8184 Aug 27 14:00 cis_rhel5_linux_rcl.txt -rwxrwx--- 1 root ossec 14241 Aug 27 14:00 cis_rhel_linux_rcl.txt -rw-r--r-- 1 ossec ossec 77829 Aug 27 14:00 merged.mg -rwxrwx--- 1 root ossec 14925 Aug 27 14:00 rootkit_files.txt -rwxrwx--- 1 root ossec 5307 Jun 3 2009 rootkit_trojans.txt -rwxrwx--- 1 root ossec 0 Sep 2 2009 -svn -rwxrwx--- 1 root ossec 7975 Aug 27 14:00 system_audit_rcl.txt -rwxrwx--- 1 root ossec 4676 Aug 27 14:00 win_applications_rcl.txt -rwxrwx--- 1 root ossec 3853 Aug 27 14:00 win_audit_rcl.txt -rwxrwx--- 1 root ossec 4923 Aug 27 14:00 win_malware_rcl.txt Apparently, the OSSEC server has yet to send its merged.mg file to the mercury OSSEC agent host.despite the fact that I had restarted the server and mercury 45 min ago. Needless to say, the ar.conf file on mercury has yet to be updated. On Aug 27, 3:00 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > Give it a shot. I don't think it'll hurt anything. > > > > On Fri, Aug 27, 2010 at 2:56 PM, blacklight <vphu...@yahoo.com> wrote: > > My ar.conf file has yet to appear after close to one hour. Do you want > > me to try with your method below? > > > On Aug 27, 2:49 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > >> I tried doing this and getting the file back took a bit. I ended up > >> creating a blank ar.conf (with correct permissions), restarting the > >> server and the agent. It eventually came back. Not sure if all of that > >> was necessary, I just didn't feel like waiting. > > >> On Fri, Aug 27, 2010 at 2:15 PM, blacklight <vphu...@yahoo.com> wrote: > >> > Letting you know that I moved the ar.conf file out of the shared > >> > directory of the mercury OSSEC agent host, and the listing below shows > >> > what I got for the shared directory: > > >> > [r...@mercury shared]# ls -l > >> > total 176 > >> > -rwxrwx--- 1 root ossec 3764 Aug 27 14:00 agent.conf > >> > -rwxrwx--- 1 root ossec 9487 Aug 27 14:00 cis_debian_linux_rcl.txt > >> > -rwxrwx--- 1 root ossec 8184 Aug 27 14:00 cis_rhel5_linux_rcl.txt > >> > -rwxrwx--- 1 root ossec 14241 Aug 27 14:00 cis_rhel_linux_rcl.txt > >> > -rw-r--r-- 1 ossec ossec 77829 Aug 27 14:00 merged.mg > >> > -rwxrwx--- 1 root ossec 14925 Aug 27 14:00 rootkit_files.txt > >> > -rwxrwx--- 1 root ossec 5307 Jun 3 2009 rootkit_trojans.txt > >> > -rwxrwx--- 1 root ossec 0 Sep 2 2009 -svn > >> > -rwxrwx--- 1 root ossec 7975 Aug 27 14:00 system_audit_rcl.txt > >> > -rwxrwx--- 1 root ossec 4676 Aug 27 14:00 win_applications_rcl.txt > >> > -rwxrwx--- 1 root ossec 3853 Aug 27 14:00 win_audit_rcl.txt > >> > -rwxrwx--- 1 root ossec 4923 Aug 27 14:00 win_malware_rcl.txt > > >> > Note that the file ar.conf is completely missing. > > >> > Frustratingly enough, the contents of merged.mg show the contents > >> > (current and correct) of the ar.conf file on the OSSEC server host: > > >> > !203 ar.conf > >> > restart-ossec0 - restart-ossec.sh - 0 > >> > restart-ossec0 - restart-ossec.cmd - 0 > >> > firewall-drop600 - firewall-drop.sh - 600 > >> > firewall-drop3600 - firewall-drop.sh - 3600 > >> > win_nullroute600 - route-null.cmd - 600
