On Thu, Mar 20, 2014 at 8:23 PM, Anuj AJ <[email protected]> wrote: >>>Verify that the agent processes were restarted after the agent.conf was >>> pushed. > > Not sure how to do this (bare with me) > > Once i made change to agent.conf on the server. After a long time i see that > the same agent.conf shows up on /var/ossec/etc/shared/agent.conf (On the > agent). Verified by running agent_control on the server as well -i ... that > tells me no difference in hash of the file on server and agent. > > On the side I had already put this in place >> > http://devio.us/~ddp/ossec/docs/cookbooks/recipes/ar-agent-conf-restart.html# > > Here is my part of the config (similar to the doc) > > From Server - /var/ossec/rules/local_rules.xml > > <rule id="100050" level="1"> > <if_group>syscheck</if_group> > <match>/var/ossec/etc/shared/agent.conf</match> > <description>agent.conf was modified</description> > </rule> > > From Server - /var/ossec/etc/ossec.conf > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > <active-response> > <!-- This response will restart ossec on agents when > - rule 100050 local rule hits i.e there is > - there is a change in central agent.conf file. > --> > <command>restart-ossec</command> > <location>local</location> > <rules_id>100050</rules_id> > </active-response> > > > FYI - these sections of config dont exist on Agent .. only on Server's > (ossec.conf) >
Try restarting the processes on the agent manually. ossec-syscheckd should also log which directories it is monitoring, so after restarting you can check this file to see if it picked up the changes. > Please let me know if these sections need to be on agent as well (Which i > highly doubt, since there are no rules on the agent) > Active response configuration (other than enabling/disabling) is done on the server. There is no need for the above configurations to be on the agent. > >>> Make sure the agent.conf was actually updated properly. > > Yep i see that the agent.conf gets successfully replicated to the agents > from the HID server (based on comparing the Hash from the server as well) > > >>> Double check to make sure that the agent you're testing on should >>> actually be using the block you've defined in agent.conf. > >> <agent_config> >> >> >> <syscheck> >> >> <alert_new_files>yes</alert_new_files> >> >> <!-- Directories to check (perform all possible verifications) --> >> <directories check_all="yes">/home</directories> >> >> <ignore type="sregex">.log$|.tmp</ignore> >> >> <ignore>/etc/motd</ignore> >> <ignore>/home/mysql</ignore> >> <ignore>/home/mongodb</ignore> >> <ignore>/home/backups</ignore> >> >> </syscheck> >> >> </agent_config> > > > This config is fairly generic to load /home folder for File monitoring. > Every agent has and require that. > <alert_new_files> is a server side setting. I'll have to check the documentation to make sure this is mentioned. Check the permissions and ownership of the agent.conf. > > Regards > > AJ > > > > > > > > > On Thursday, March 20, 2014 6:20:16 AM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Mar 19, 2014 at 4:32 PM, Anuj AJ <[email protected]> wrote: >> > Greetings. >> > >> > Went through other information about managing centralized agent.conf >> > through >> > ossec HID server. >> > It has successfully been able to update the agent.conf on the agents >> > (although it take sometime, which is fine) >> > >> > Here is the problem - >> > >> > This is my agent.conf - >> > >> > >> > <agent_config> >> > >> > >> > <syscheck> >> > >> > <alert_new_files>yes</alert_new_files> >> > >> > <!-- Directories to check (perform all possible verifications) --> >> > <directories check_all="yes">/home</directories> >> > >> > <ignore type="sregex">.log$|.tmp</ignore> >> > >> > <ignore>/etc/motd</ignore> >> > <ignore>/home/mysql</ignore> >> > <ignore>/home/mongodb</ignore> >> > <ignore>/home/backups</ignore> >> > >> > </syscheck> >> > >> > </agent_config> >> > >> > The Ossec.conf on the AGENT is the generic conf that comes out of the >> > box, >> > and im trying to push other requirements through agent.conf from the >> > server. >> > >> > >> > Although I do get alerts from ossec, about changes made to files / new >> > files >> > added to the system on generic folders (through generic config) - /etc , >> > /sbin etc etc. >> > Iam not getting any changes from the /home folder from agents, about new >> > files added or files changed. >> > >> > >> > Help regarding this would be highly appreciated :) >> > >> >> Verify that the agent processes were restarted after the agent.conf was >> pushed. >> Make sure the agent.conf was actually updated properly. >> Double check to make sure that the agent you're testing on should >> actually be using the block you've defined in agent.conf. >> >> > Thanks >> > AJ >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
