I'm running OSSEC 2.7 on CentOS 6.4 (Both Manager and Agent) I'm trying to
get a centralized agent configuration going.
I've set both the Manager and Agent to run at debug level 2. I have
verified that the firewall is disabled on both hosts and they are on the
same subnet.
I'm attempting to make any modifications to agent.conf on the manager
restart the ossec agent on the remote system.
When I make a modification to the /var/ossec/etc/shared/agent.conf file and
watch the ossec.log on the manager I see the message:
ossec-remoted: DEBUG Sending file 'merged.mg' to agent.
As soon as the manager sends merged.mg to the Agent I see numerous lines
like the following:
ossec-agentd: WARN: Unknown message received. No action defined.
I assume I have something improperly configured on the agent.
Here are the contents of agent.conf and ossec.conf on the Agent:
agent.conf:
<agent_config>
<syscheck>
<frequency>3600</frequency>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<directories report_changes="yes"
check_all="yes">/etc,/usr/bin,/usr/sbin,/opt/ossec/etc/shared</directories>
</syscheck>
</agent_config>
ossec.conf
<ossec_config>
<client>
<server-ip>192.168.140.138</server-ip>
</client>
</ossec_config>
Here is the ossec.conf on the Manager:
<ossec_config>
<global>
<email_notification>no</email_notification>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>symantec-av_rules.xml</include>
<include>symantec-ws_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>roundcube_rules.xml</include>
<include>wordpress_rules.xml</include>
<include>cimserver_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>vmpop3d_rules.xml</include>
<include>courier_rules.xml</include>
<include>web_rules.xml</include>
<include>web_appsec_rules.xml</include>
<include>apache_rules.xml</include>
<include>nginx_rules.xml</include>
<include>php_rules.xml</include>
<include>mysql_rules.xml</include>
<include>postgresql_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>sonicwall_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>dovecot_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>vpn_concentrator_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<include>mcafee_av_rules.xml</include>
<include>trend-osce_rules.xml</include>
<include>ms-se_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>zeus_rules.xml</include>
<include>solaris_bsm_rules.xml</include>
<include>vmware_rules.xml</include>
<include>ms_dhcp_rules.xml</include>
<include>asterisk_rules.xml</include>
<include>ossec_rules.xml</include>
<include>attack_rules.xml</include>
<include>openbsd_rules.xml</include>
<include>clam_av_rules.xml</include>
<include>bro-ids_rules.xml</include>
<include>dropbear_rules.xml</include>
<include>local_rules.xml</include>
</rules>
<syscheck>
<frequency>79200</frequency>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
</syscheck>
<rootcheck>
<disabled>yes</disabled>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>192.168.140.2</white_list>
</global>
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
</alerts>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<active-response>
<command>restart-ossec</command>
<location>local</location>
<rules_id>510010</rules_id>
</active-response>
</ossec_config>
I have the following rule defined in /var/ossec/rules/local_rules.xml:
<rule id="510010" level="10">
<if_sid>550</if_sid>
<match>/var/ossec/etc/shared/agent.conf</match>
<description>agent.conf has been modified.</description>
</rule>
Here are the permissions of /var/ossec/etc/shared on the Manager:
[root@ossec_server shared]# ls -la
total 176
drwxrwx---. 2 root ossec 4096 Sep 3 20:34 .
dr-xr-x---. 3 root ossec 4096 Sep 3 20:26 ..
-rw-r--r--. 1 root ossec 344 Sep 3 20:34 agent.conf
-r--r-----. 1 root ossec 115 Sep 3 20:34 ar.conf
-r--r-----. 1 root ossec 9501 Nov 8 2012 cis_debian_linux_rcl.txt
-r--r-----. 1 root ossec 8192 Nov 8 2012 cis_rhel5_linux_rcl.txt
-r--r-----. 1 root ossec 14251 Nov 8 2012 cis_rhel_linux_rcl.txt
-rw-r--r--. 1 ossecr ossec 70680 Sep 3 20:34 merged.mg
-r--r-----. 1 root ossec 14872 Nov 8 2012 rootkit_files.txt
-r--r-----. 1 root ossec 5193 Nov 8 2012 rootkit_trojans.txt
-r--r-----. 1 root ossec 4457 Nov 8 2012 system_audit_rcl.txt
-r--r-----. 1 root ossec 4682 Nov 8 2012 win_applications_rcl.txt
-r--r-----. 1 root ossec 3859 Nov 8 2012 win_audit_rcl.txt
-r--r-----. 1 root ossec 4929 Nov 8 2012 win_malware_rcl.txt
Here they are on the Agent:
[root@CentOS1 shared]# ls -la
total 176
drwxrwx---. 2 root ossec 4096 Sep 3 19:51 .
dr-xr-x---. 3 root ossec 4096 Sep 3 20:03 ..
-rw-r--r--. 1 ossec ossec 344 Sep 3 20:21 agent.conf
-rw-r--r--. 1 ossec ossec 115 Sep 3 20:21 ar.conf
-rwxrwx---. 1 root ossec 9501 Sep 3 20:21 cis_debian_linux_rcl.txt
-rwxrwx---. 1 root ossec 8192 Sep 3 20:21 cis_rhel5_linux_rcl.txt
-rwxrwx---. 1 root ossec 14251 Sep 3 20:21 cis_rhel_linux_rcl.txt
-rw-r--r--. 1 ossec ossec 70674 Sep 3 20:21 merged.mg
-rwxrwx---. 1 root ossec 14872 Sep 3 20:21 rootkit_files.txt
-rwxrwx---. 1 root ossec 5193 Sep 3 20:21 rootkit_trojans.txt
-rwxrwx---. 1 root ossec 4457 Sep 3 20:21 system_audit_rcl.txt
-rwxrwx---. 1 root ossec 4682 Sep 3 20:21 win_applications_rcl.txt
-rwxrwx---. 1 root ossec 3859 Sep 3 20:21 win_audit_rcl.txt
-rwxrwx---. 1 root ossec 4929 Sep 3 20:21 win_malware_rcl.txt
The remote agent responds to /var/ossec/bin/agent-control -R 1024 right
away and without issue because of this I assume Active Response is working
in some fashion.
Please let me know if you have any idea what is causing the "Unknown
message received. No action defined." message or why the remote agents are
not restarting when receiving a new agent.conf.
Thanks,
-AMM
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
