> I ended up with the original merged.mg file in its place. It looks like the system received the merged.mg file that was on your server instead and overwrote the merged.mg file on the OSSEC agent host. And quickly, too- "Quickly" is not what's happening on my OSSEC agent host,by the way.
> Anyways, I'm guessing this isn't going to work. I put the file back in > place on that agent, I'll update if anything happens. I can zip up the contents of the shared directory of the OSSEC server and ship the zipped file to you. I'll have to do that on Monday morning, though. In the meantime, one possibility is emptying out the shared directory of the OSSEC server except for the merged.mg file, restart the OSSEC server to trigger the transfer of the merged.mg file to the agent and restart the agent to have the agent unwrap it. Thanks for your effort On Aug 28, 12:43 am, "dan (ddp)" <ddp...@gmail.com> wrote: > Got it. I don't think it's going to do much. I tried putting it on an > agent and restarting ossec. I ended up with the original merged.mg > file in its place. > I even emptied all of the files except the merged.mg file and > restarted the agent, only to find all of the files back in place. Not > sure why it worked so quickly on that try. > > Anyways, I'm guessing this isn't going to work. I put the file back in > place on that agent, I'll update if anything happens. > > On Fri, Aug 27, 2010 at 4:47 PM, blacklight <vphu...@yahoo.com> wrote: > > Cool. To what mailing address should I send the merged.mg file? > > > On Aug 27, 4:37 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > >> Send it, I'll give it a shot later. Probably tonight. > > >> On Fri, Aug 27, 2010 at 4:24 PM, blacklight <vphu...@yahoo.com> wrote: > >> > It does seem to take for ever for the update to take place. I really > >> > would like to send you my merged.mg file for you to test. > > >> > On Aug 27, 3:46 pm, blacklight <vphu...@yahoo.com> wrote: > >> >> I restarted the OSSEC server and the OSSEC agent 45 min ago. > > >> >> Here is the current listing for the shared directory on the OSSEC > >> >> server: > > >> >> [r...@wiggum shared]# ls -l > >> >> total 180 > >> >> -r--r----- 1 root ossec 3764 Apr 7 16:51 agent.conf > >> >> -r--r--r-- 1 root ossec 203 Aug 27 15:04 ar.conf > >> >> -r--r----- 1 root ossec 9487 Jul 10 2008 cis_debian_linux_rcl.txt > >> >> -r--r----- 1 root ossec 8184 Feb 20 2009 cis_rhel5_linux_rcl.txt > >> >> -r--r----- 1 root ossec 14241 Aug 28 2008 cis_rhel_linux_rcl.txt > >> >> -rw-r--r-- 1 ossecr ossec 77829 Aug 27 15:04 merged.mg > >> >> -r--r----- 1 root ossec 14925 Jan 29 2009 rootkit_files.txt > >> >> -r--r----- 1 root ossec 5307 Jun 3 2009 rootkit_trojans.txt > >> >> -r--r----- 1 root ossec 7975 Apr 14 2008 system_audit_rcl.txt > >> >> -r--r----- 1 root ossec 4676 Aug 17 2007 win_applications_rcl.txt > >> >> -r--r----- 1 root ossec 3853 Mar 26 2009 win_audit_rcl.txt > >> >> -r--r----- 1 root ossec 4923 Jul 21 2008 win_malware_rcl.txt > > >> >> Here is the current listing for mercury's shared directory: > > >> >> [r...@mercury shared]# ls -l > >> >> total 176 > >> >> -rwxrwx--- 1 root ossec 3764 Aug 27 14:00 agent.conf > >> >> -rwxrwx--- 1 root ossec 0 Aug 27 15:03 ar.conf > >> >> -rwxrwx--- 1 root ossec 9487 Aug 27 14:00 cis_debian_linux_rcl.txt > >> >> -rwxrwx--- 1 root ossec 8184 Aug 27 14:00 cis_rhel5_linux_rcl.txt > >> >> -rwxrwx--- 1 root ossec 14241 Aug 27 14:00 cis_rhel_linux_rcl.txt > >> >> -rw-r--r-- 1 ossec ossec 77829 Aug 27 14:00 merged.mg > >> >> -rwxrwx--- 1 root ossec 14925 Aug 27 14:00 rootkit_files.txt > >> >> -rwxrwx--- 1 root ossec 5307 Jun 3 2009 rootkit_trojans.txt > >> >> -rwxrwx--- 1 root ossec 0 Sep 2 2009 -svn > >> >> -rwxrwx--- 1 root ossec 7975 Aug 27 14:00 system_audit_rcl.txt > >> >> -rwxrwx--- 1 root ossec 4676 Aug 27 14:00 win_applications_rcl.txt > >> >> -rwxrwx--- 1 root ossec 3853 Aug 27 14:00 win_audit_rcl.txt > >> >> -rwxrwx--- 1 root ossec 4923 Aug 27 14:00 win_malware_rcl.txt > > >> >> Apparently, the OSSEC server has yet to send its merged.mg file to the > >> >> mercury OSSEC agent host.despite the fact that I had restarted the > >> >> server and mercury 45 min ago. Needless to say, the ar.conf file on > >> >> mercury has yet to be updated. > > >> >> On Aug 27, 3:00 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > > >> >> > Give it a shot. I don't think it'll hurt anything. > > >> >> > On Fri, Aug 27, 2010 at 2:56 PM, blacklight <vphu...@yahoo.com> wrote: > >> >> > > My ar.conf file has yet to appear after close to one hour. Do you > >> >> > > want > >> >> > > me to try with your method below? > > >> >> > > On Aug 27, 2:49 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > >> >> > >> I tried doing this and getting the file back took a bit. I ended up > >> >> > >> creating a blank ar.conf (with correct permissions), restarting the > >> >> > >> server and the agent. It eventually came back. Not sure if all of > >> >> > >> that > >> >> > >> was necessary, I just didn't feel like waiting. > > >> >> > >> On Fri, Aug 27, 2010 at 2:15 PM, blacklight <vphu...@yahoo.com> > >> >> > >> wrote: > >> >> > >> > Letting you know that I moved the ar.conf file out of the shared > >> >> > >> > directory of the mercury OSSEC agent host, and the listing below > >> >> > >> > shows > >> >> > >> > what I got for the shared directory: > > >> >> > >> > [r...@mercury shared]# ls -l > >> >> > >> > total 176 > >> >> > >> > -rwxrwx--- 1 root ossec 3764 Aug 27 14:00 agent.conf > >> >> > >> > -rwxrwx--- 1 root ossec 9487 Aug 27 14:00 > >> >> > >> > cis_debian_linux_rcl.txt > >> >> > >> > -rwxrwx--- 1 root ossec 8184 Aug 27 14:00 > >> >> > >> > cis_rhel5_linux_rcl.txt > >> >> > >> > -rwxrwx--- 1 root ossec 14241 Aug 27 14:00 > >> >> > >> > cis_rhel_linux_rcl.txt > >> >> > >> > -rw-r--r-- 1 ossec ossec 77829 Aug 27 14:00 merged.mg > >> >> > >> > -rwxrwx--- 1 root ossec 14925 Aug 27 14:00 rootkit_files.txt > >> >> > >> > -rwxrwx--- 1 root ossec 5307 Jun 3 2009 rootkit_trojans.txt > >> >> > >> > -rwxrwx--- 1 root ossec 0 Sep 2 2009 -svn > >> >> > >> > -rwxrwx--- 1 root ossec 7975 Aug 27 14:00 system_audit_rcl.txt > >> >> > >> > -rwxrwx--- 1 root ossec 4676 Aug 27 14:00 > >> >> > >> > win_applications_rcl.txt > >> >> > >> > -rwxrwx--- 1 root ossec 3853 Aug 27 14:00 win_audit_rcl.txt > >> >> > >> > -rwxrwx--- 1 root ossec 4923 Aug 27 14:00 win_malware_rcl.txt > > >> >> > >> > Note that the file ar.conf is completely missing. > > >> >> > >> > Frustratingly enough, the contents of merged.mg show the contents > >> >> > >> > (current and correct) of the ar.conf file on the OSSEC server > >> >> > >> > host: > > >> >> > >> > !203 ar.conf > >> >> > >> > restart-ossec0 - restart-ossec.sh - 0 > >> >> > >> > restart-ossec0 - restart-ossec.cmd - 0 > >> >> > >> > firewall-drop600 - firewall-drop.sh - 600 > >> >> > >> > firewall-drop3600 - firewall-drop.sh - 3600 > >> >> > >> > win_nullroute600 - route-null.cmd - 600
