Ahh, yes.. the ossec:ossec was an entirely undesirable diversion from my day... Here is what I found on the test server(Brand new AlienVault USM server with OSSEC 2.7)
No Agent.conf OSSIM02:~# ls -ls /var/ossec/etc/shared/ total 168 4 -r--r----- 1 root ossec 77 Aug 15 06:25 ar.conf 12 -r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt 8 -r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt 16 -r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt 76 -rw-r--r-- 1 ossecr ossec 70275 Aug 15 06:25 merged.mg 16 -r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt 8 -r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt 8 -r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt 8 -r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt 4 -r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt 8 -r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt Create Agent.conf through the cmd line with vi by copy and paste OSSIM02:~# vi /var/ossec/etc/shared/agent.conf You have new mail in /var/mail/root OSSIM02:~# ls -ls /var/ossec/etc/shared/ total 180 12 -rw-r--r-- 1 root root 10181 Aug 15 18:07 agent.conf = root:root permissions 4 -r--r----- 1 root ossec 77 Aug 15 06:25 ar.conf 12 -r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt 8 -r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt 16 -r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt 76 -rw-r--r-- 1 ossecr ossec 70275 Aug 15 06:25 merged.mg 16 -r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt 8 -r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt 8 -r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt 8 -r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt 4 -r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt 8 -r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt Next, went into the GUI in AlienVault and modified the file, select update, then restarted OSSEC OSSIM02:~# ls -ls /var/ossec/etc/shared/ total 192 4 -rw-r--r-- 1 www-data root 958 Aug 15 18:08 agent.conf = www-data now owns agent.conf 12 -rw-r--r-- 1 root root 10181 Aug 15 18:07 agent.conf.avconf.bak 4 -r--r----- 1 root ossec 77 Aug 15 18:08 ar.conf 12 -r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt 8 -r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt 16 -r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt 84 -rw-r--r-- 1 ossecr ossec 81459 Aug 15 18:08 merged.mg 16 -r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt 8 -r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt 8 -r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt 8 -r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt 4 -r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt 8 -r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt OSSIM02:~# what user:group is supposed to own agent.conf. If I edit local_rules.xml, local_decoder.xml, or agent.conf, what user should I be modifying these files as? Thank you, Jared On Monday, June 24, 2013 1:15:19 PM UTC-4, Jared wrote: > > Question: > > How are "Profiles" associated with clients / agents? > > Scenario: > > Agent ID = 001 = Web01 = IIS and MySQL = Windows > > Agent ID = 002 = Web02 = Apache/Tomcat and MySQL = CentOs > > I would like to have a profile for each server type so that I no longer > see the following errors: > > 2013/06/24 10:08:52 ossec-agent(1952): INFO: Monitoring variable log file: > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. > 2013/06/24 10:08:52 ossec-agent(1103): ERROR: Unable to open file > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. > > > For Windows servers that do not have Tomcat for example? > > Based on the following from the web documentation from > http://www.ossec.net/doc/syntax/head_agent_config.html?highlight=profile#profile > : > > profile<http://www.ossec.net/doc/syntax/head_agent_config.html#element-profile> > This option to agent_config allows you to assign a profile name to the > the block. Any agent may use this block if it is configured to use the > defined profile. > > *Example:* <agent_config profile=”webservers”> > > > *How do I tell Agent 002 that it should be associated with "LinuxWebs"* > > <agent_config profile=”LinuxWebs”> > > > > *How do I tell Agent 002 that it should be subordinate to "WinWebs"* > > <agent_config profile=”LinuxWebs”> > > > > *In the following config:* > > <agent_config profile=”LinuxWebs”> > <localfile> > <location>/var/log/secure</location> > <log_format>syslog</log_format> > </localfile> > > > </agent_config> > > Thanks for all of the posts and info? Very helpful list!! > > Jared > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
