/var/ossec/bin/agent_control -i 030
OSSEC HIDS agent_control. Agent information:
Agent ID: 030
Agent Name: ewqeqw
IP address: 192.168.x.x
Status: Active
Operating system: Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u..
Client version: OSSEC HIDS v2.8 / 9144d8b51e627a498cde8eeb8dac2c88
Last keep alive: Fri Jul 17 15:57:56 2015
Syscheck last started at: Fri Jul 17 15:34:48 2015
Rootcheck last started at: Fri Jul 17 15:59:33 2015
Now I'm testing with central agent conf:
<agent_config>
<syscheck>
<frequency>600</frequency>
<directories report_changes="yes" check_all="yes"
realtime="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" check_all="yes"
realtime="yes">/bin,/sbin</directories>
<directories report_changes="yes" check_all="yes"
realtime="yes">/usr/local/sbin</directories>
<directories report_changes="yes" check_all="yes"
realtime="yes">/usr/local/bin</directories>
</syscheck>
</agent_config>
And still nothing, i check md5sum /var/ossec/etc/shared/agent.conf
179aa16e2a4830f4d60afe9b2325e956 /var/ossec/etc/shared/agent.conf
But as you can see, the agent dont receive it (I restart agent)
Dont know what to do...
пятница, 17 июля 2015 г., 15:54:13 UTC+3 пользователь dan (ddpbsd) написал:
>
>
> On Jul 17, 2015 8:51 AM, "Oleg Makarov" <[email protected]
> <javascript:>> wrote:
> >
> > Yep, its active.
> > I dont see anything in /var/ossec/queue/syscheck :(
> >
>
> Did you check on the manager? I apologize for not being more specific
> initially, but that info is stored on the manager.
>
> > I also try to change frequency to 600 seconds, but still the same :(
> >
>
> That's still very low for checking 2 hashes for every file in the
> configured directories.
>
> > пятница, 17 июля 2015 г., 15:28:16 UTC+3 пользователь dan (ddpbsd)
> написал:
> >>
> >>
> >> On Jul 17, 2015 6:26 AM, "Oleg Makarov" <[email protected]> wrote:
> >> >
> >> > Hello everyone!
> >> > I'm a newbie in ossec and I need some help.
> >> > I have an ossec manager and 20+ ossec agents.
> >> > On manager i have next conf: http://pastebin.com/4LTYNmYH
> >> > On agent i have next conf: http://pastebin.com/RzN5p6Zf
> >> > I want to see how i change /etc/ssh/sshd_config on one of my agents,
> I made some changes, but there are no alerts on my email.
> >> > What am I do wrong?
> >> > Thanks!
> >> >
> >>
> >> Is the agent connected to the manager?
> >> Is the entry in the ayscheck db updated (/var/ossec/queue/syscheck)?
> >>
> >> The frequency seems very low on the agent. I haven't seen much success
> with very low frequencies.
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected].
> >>
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> >
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
