That is why I posted, because the verify-agent-config script does not report an error. I use the logtest and verify-agent... daily.
looks like www-data owns /etc/shared and agent.conf alienvault4sim:~# ls -ls /var/ossec/etc/ total 160 4 -r--r----- 1 www-data ossec 1834 Aug 15 13:31 client.keys 100 -r--r----- 1 root ossec 97062 Nov 9 2012 decoder.xml 4 -r--r----- 1 root ossec 2842 Nov 9 2012 internal_options.conf 4 -rw-r--r-- 1 root root 779 Aug 15 13:22 local_decoder.xml 4 -r-xr-xr-x 1 root ossec 118 Aug 15 15:39 localtime 8 -rw-r--r-- 1 www-data root 6380 Aug 15 15:39 ossec.conf 8 -r-xr-x--- 1 root ossec 5589 Jul 18 17:52 ossec.conf-backup 8 -r-xr-x--- 1 root ossec 5319 Jul 18 17:52 ossec.conf-maintainer 8 -rw-r--r-- 1 www-data root 5641 Aug 14 14:45 ossec.conf.avconf.bak 4 drwxrwx--- 2 www-data ossec 4096 Aug 14 14:40 shared 4 -r-xr-x--- 1 root ossec 1696 Jul 10 19:54 sslmanager.cert 4 -r-xr-x--- 1 root ossec 1679 Jul 10 19:53 sslmanager.key alienvault4sim:~# ls -ls /var/ossec/etc/shared/ total 192 4 -rw-r--r-- 1 www-data root 1 Aug 14 14:40 agent.conf 12 -rw-r--r-- 1 www-data root 11539 Aug 7 14:04 agent.conf.avconf.bak 4 -r--r----- 1 root ossec 77 Aug 15 15:39 ar.conf 12 -r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt 8 -r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt 16 -r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt 84 -rw-r--r-- 1 ossecr ossec 81858 Aug 15 15:39 merged.mg 16 -r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt 8 -r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt 8 -r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt 8 -r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt 4 -r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt 8 -r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt alienvault4sim:~# Added this to the watchdog called ossim-singleline.cfg file as this is what is restating the server services. Will see how it goes for 24 hours... startup=chown -R ossec:ossec /var/ossec/queue | /var/ossec/bin/ossec-control start Hopefully, every time the watchdog service restarts ossim-agent or any of the other hundred services that it will reset the permissions. Thanks again!!! On Thu, Aug 15, 2013 at 11:34 AM, David Blanton <[email protected]>wrote: > Try using the verify-agent-conf script in the bin folder. > > Also check permissions on the agent.conf file > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
