The problem is there is (as far as I can tell in 2.7.1 install) no agent-auth.exe ... so how do we test it?
-- James Pulver CLASSE Computer Group Cornell University -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of dan (ddp) Sent: Tuesday, September 24, 2013 10:47 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Client.keys On Tue, Sep 24, 2013 at 7:57 AM, <bjoern.bec...@easycash.de> wrote: > Hello, > > > > sorry, when I disturbing the discussion. We have the same problem with > windows agents. > > Under *NIX os we could register the agent automaticly during installation > using: /var/ossec/bin/agent-auth -m $ossecserver -A $::fqdn -D /var/ossec/ > and on the server site the ossec-authd. > > > > Is there still no command for windows os? Is this in planning? > I believe it was mentioned in this thread that the command might be ready, but no one will test it. > > > Thanks Jared for the howto, it's should be better as our situation under > windows now J > > > > Mit freundlichen Grüßen / Best regards > Björn > > > > Von: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] Im > Auftrag von Jared > Gesendet: Montag, 23. September 2013 21:42 > An: ossec-list@googlegroups.com > Betreff: Re: [ossec-list] Client.keys > > > > Okay, off line then via email. > > Jared > > On Friday, September 20, 2013 9:48:10 AM UTC-4, Chris Lauritzen wrote: > > Jared, > > What I am trying to do it automate the install. We use LANDesk to push out > apps to over 3500 PC/servers in our company. LANDesk can use batch, msi, > exe, vbs and Powershell scripts to install. I have the install working, it > pushes to the PC's and installs the agent. Where it was failing initially > was importing the Key file. I have resolved that issue and during the > install the key is being read. What I come to find out is OSSEC requires one > key file per PC with only one key entry. I under the security reasons for > this. So what I am looking to do is to find a way to not create 3500 > Client.keys files. I have a script that works but it does not play well > because we are running DHCP. I am not the admin for the OSSEC server, I am > the LANDesk admin so I am dealing with the desktop/server level. Looking > over your powershell script I see where it could work. If you would like you > can email me directly.. > > Thanks > > Chris > > On Friday, September 20, 2013 6:54:49 AM UTC-5, Jared wrote: > > I am not surer that everyone wants to see the gory details, but with > Powershell you can accomplish anythign that you would do normally via the > cmd line or interactively, on linux (ssh) and Windows (WMI). > > > > Here is an example that will migrate servers from a test OSSEC server to a > Productin OSSEC server and then register them with the new server (I have > another script that fixes the "any' in the client.keys): > > > > # You must download the module and install it per the directions (google) > Import-Module SSH-Sessions > # Implies that you have a .csv file with all of your servers in it with the > following headers (Product,address,Hostname,Key,User) > # Implies that you have an account on your linux servers with TTY ability > (google sudoers & TTY) > # Load data from .csv into a variable called $servers > $Servers = Import-Csv C:\ISCO\Automate\bin\test_Servers.csv > # loop throuhg each of the lines in the .CSV file and do "Some work" > ForEach ($S in $Servers) > { > # Get IP address from line in file > $I = $S.Address; Write-host $I > #Get Hostname from line in file > $H = $S.Hostname; Write-host $H > #Same ... > $K = $S.key; Write-host $K > #Same ... > $U = $S.user; Write-host $U > > # Connect to each computer and provide username and Private key > New-SshSession -ComputerName $I -Username $U -KeyFile $k > #Stop the agent > Invoke-SshCommand -ComputerName $i -Command "sudo > /var/ossec/bin/ossec-control stop" -Verbose > # Replace the Test Server IP with with the Production server IP > Invoke-SshCommand -ComputerName $i -Command "sudo sed -i > 's/1.1.1.1/2.2.2.2/g' /var/ossec/etc/ossec.conf" -Verbose > #Register the server with agent with the Production OSSEC manager server > with the host name from the .csv file > Invoke-SshCommand -ComputerName $i -Command "sudo > /var/ossec/bin/agent-auth -m 2.2.2.2-p 1515 -A $H" -Verbose > # Restart the agent > Invoke-SshCommand -ComputerName $i -Command "sudo > /var/ossec/bin/ossec-control start" -Verbose > # display the status of the agent post restart in the Powershell > console. > Invoke-SshCommand -ComputerName $i -Command "sudo > /var/ossec/bin/ossec-control status" -Verbose > # Close and clean up the session > Remove-SshSession $I -Verbose > # As this is a Foreach Loop, it will parse each line of your .csv file > and perform this work on every server until the list is ehausted. > } > > > > > > So, we can take this offline or keep it here, but I would need to get the > details (requirements) for each process that you are trying to automate. I > am not following what you are trying to do with the Client.Keys on the > agent, but I believe that there is a programatic solution. > > > > Jared > > > On Thursday, September 19, 2013 2:42:19 PM UTC-4, Chris Lauritzen wrote: > > Jared, > > Thanks for the info. I can get Landesk to run powershell so what scripting > would I need. > > On Thursday, September 19, 2013 9:42:01 AM UTC-5, Jared wrote: > > Chris, > > Agent / Client = 1 client.keys file with a single entry in it. > C:\Program Files (x86)\ossec-agent\client.keys = 1 entry > > Server / Manager = 1 client.keys files with an entry for every agent that is > registered. > /var/ossec/etc/client.keys > > If you are tying to copy the client.keys file from the server to every > agent, it will not work (only reads the first line). > > If you need some scripting automation for installing/configuring OSSEC on > Windows and Linux, and can run powershell from your Windows Landesk > instance, I can help. Just need to come up with what "success" would look > like from requirements perspective and the scripting part is easy. > > Jared > > > > > > On Thu, Sep 19, 2013 at 10:19 AM, James M. Pulver <jmp...@cornell.edu> > wrote: > > Yes, each client has a unique client.keys. > > > > -- > > James Pulver > > CLASSE Computer Group > > Cornell University > > > > From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf > Of Chris Lauritzen > Sent: Thursday, September 19, 2013 9:46 AM > > > To: ossec...@googlegroups.com > Subject: Re: [ossec-list] Client.keys > > > > James let get this straight, if I have 3500 pc's to push this out to I need > 3500 client.keys files? > > > > On Wednesday, September 18, 2013 5:13:28 PM UTC-5, Michael Starks wrote: > > On 09/18/2013 04:08 PM, Chris Lauritzen wrote: >> Yes the Key have been made. There is a new twist to this now. The >> install is reading the client.keys but is only reading in the first key >> listed. Every install is pulling only the first key. If I manually add >> the key it works fine. When creating the key I see that the name is >> optional but is it possible that it's looking for the device name and >> when not finding it defaulting to the first entry? > > There should only be one key in the agent's client.keys file--the key > for that agent. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- > Thank you, > > Jared R. Greene > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
