On Mon, Aug 11, 2014 at 1:20 PM, Steve <[email protected]> wrote: > Hello. I have and agent.conf file that throws errors when I attempt to > specify a particular agent with the name command. here is the > configuration: > <agent_config> > > <agent_config name="logger.hpc">
I don't think you should have 2 "agent_config" items at the beginning. > <localfile> > <location>/var/log/hpc_logs</location> > <log_format>syslog</log_format> > </localfile> > </agent_config> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > <active-response> > <command>restart-ossec</command> > <location>local</location> > <rules_id>510010</rules_id> > </active-response> > > <localfile> > <log_format>syslog</log_format> > <location>/var/ossec/logs/active-responses.log</location> > </localfile> > > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > > </agent_config> > > These are the errors I get: > sudo /var/ossec/bin/verify-agent-conf > 2014/08/11 17:13:16 ossec-config(1230): ERROR: Invalid element in the > configuration: 'agent_config'. > 2014/08/11 17:13:16 ossec-config(1202): ERROR: Configuration error at > '/var/ossec/etc/shared/agent.conf'. Exiting. > > If I take out just the <agent_config name="logger.hpc"> and the matching > </agent_config>, the errors go away. > I have tried using just "logger" and get the same errors. > I have tried a different agent without a period in the name (did have a > dash), same errors. As far as Ic an tell, my formatting is correct per the > documentation here: > http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html > > I am running 2.6 because my central server is a Security Onion box, and > their distro has not updated to 2.7 or 2.8. the agent.conf file IS getting > pushed to my 2.7.1 agents just fine, and THEY throw the same errors - twice > each time I restart OSSEC. I've spent the last couple hours going through > the mailing list to see if I could find an answer, if it's here, I'm missing > it. ANy help would be greatly appreciated. I just added two agents that I > need to write more custom sections for, but I'm not confident I can at this > point. Thanks! > > Steve > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
