On Thu, Aug 15, 2013 at 2:15 PM, Jared <[email protected]> wrote: > Ahh, yes.. the ossec:ossec was an entirely undesirable diversion from my > day... Here is what I found on the test server(Brand new AlienVault USM > server with OSSEC 2.7) > > No Agent.conf > OSSIM02:~# ls -ls /var/ossec/etc/shared/ > total 168 > 4 -r--r----- 1 root ossec 77 Aug 15 06:25 ar.conf > > 12 -r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt > 8 -r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt > 16 -r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt > 76 -rw-r--r-- 1 ossecr ossec 70275 Aug 15 06:25 merged.mg > > 16 -r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt > 8 -r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt > 8 -r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt > 8 -r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt > 4 -r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt > 8 -r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt > Create Agent.conf through the cmd line with vi by copy and paste > OSSIM02:~# vi /var/ossec/etc/shared/agent.conf > You have new mail in /var/mail/root > OSSIM02:~# ls -ls /var/ossec/etc/shared/ > total 180 > 12 -rw-r--r-- 1 root root 10181 Aug 15 18:07 agent.conf = root:root > permissions > 4 -r--r----- 1 root ossec 77 Aug 15 06:25 ar.conf > > 12 -r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt > 8 -r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt > 16 -r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt > 76 -rw-r--r-- 1 ossecr ossec 70275 Aug 15 06:25 merged.mg > > 16 -r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt > 8 -r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt > 8 -r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt > 8 -r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt > 4 -r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt > 8 -r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt > > Next, went into the GUI in AlienVault and modified the file, select update, > then restarted OSSEC > OSSIM02:~# ls -ls /var/ossec/etc/shared/ > total 192 > 4 -rw-r--r-- 1 www-data root 958 Aug 15 18:08 agent.conf = www-data now > owns agent.conf > 12 -rw-r--r-- 1 root root 10181 Aug 15 18:07 agent.conf.avconf.bak > 4 -r--r----- 1 root ossec 77 Aug 15 18:08 ar.conf > > 12 -r--r----- 1 root ossec 9501 Nov 9 2012 cis_debian_linux_rcl.txt > 8 -r--r----- 1 root ossec 8192 Nov 9 2012 cis_rhel5_linux_rcl.txt > 16 -r--r----- 1 root ossec 14251 Nov 9 2012 cis_rhel_linux_rcl.txt > 84 -rw-r--r-- 1 ossecr ossec 81459 Aug 15 18:08 merged.mg > > 16 -r--r----- 1 root ossec 14872 Nov 9 2012 rootkit_files.txt > 8 -r--r----- 1 root ossec 5193 Nov 9 2012 rootkit_trojans.txt > 8 -r--r----- 1 root ossec 4457 Nov 9 2012 system_audit_rcl.txt > 8 -r--r----- 1 root ossec 4682 Nov 9 2012 win_applications_rcl.txt > 4 -r--r----- 1 root ossec 3859 Nov 9 2012 win_audit_rcl.txt > 8 -r--r----- 1 root ossec 4929 Nov 9 2012 win_malware_rcl.txt > OSSIM02:~# > > what user:group is supposed to own agent.conf. If I edit local_rules.xml,
This is what I have: -r--r----- 1 root ossec 12576 Aug 15 11:13 /var/ossec-hybrid/etc/shared/agent.conf > local_decoder.xml, or agent.conf, what user should I be modifying these > files as? > All of these files are root:ossec on my system. I don't think modifying them should change this. > Thank you, > > Jared > > On Monday, June 24, 2013 1:15:19 PM UTC-4, Jared wrote: >> >> Question: >> >> How are "Profiles" associated with clients / agents? >> >> Scenario: >> >> Agent ID = 001 = Web01 = IIS and MySQL = Windows >> >> Agent ID = 002 = Web02 = Apache/Tomcat and MySQL = CentOs >> >> I would like to have a profile for each server type so that I no longer >> see the following errors: >> >> 2013/06/24 10:08:52 ossec-agent(1952): INFO: Monitoring variable log file: >> 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. >> 2013/06/24 10:08:52 ossec-agent(1103): ERROR: Unable to open file >> 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. >> >> >> For Windows servers that do not have Tomcat for example? >> >> Based on the following from the web documentation from >> http://www.ossec.net/doc/syntax/head_agent_config.html?highlight=profile#profile: >> >> profile >> This option to agent_config allows you to assign a profile name to the the >> block. Any agent may use this block if it is configured to use the defined >> profile. >> >> Example: <agent_config profile=”webservers”> >> >> >> How do I tell Agent 002 that it should be associated with "LinuxWebs" >> >> <agent_config profile=”LinuxWebs”> >> >> >> >> How do I tell Agent 002 that it should be subordinate to "WinWebs" >> >> <agent_config profile=”LinuxWebs”> >> >> >> >> In the following config: >> >> <agent_config profile=”LinuxWebs”> >> <localfile> >> <location>/var/log/secure</location> >> <log_format>syslog</log_format> >> </localfile> >> >> >> </agent_config> >> >> Thanks for all of the posts and info? Very helpful list!! >> >> Jared > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
