I did this and not remoted is running (thank you!!!) but I am still not getting any alerts for added, modified, removed files in the ossec.log. Am I looking in the wrong place?
On Sunday, March 6, 2016 at 1:30:51 PM UTC-5, Santiago Bassett wrote: > > Forgot to mention that you need to restart OSSEC (in the manager), once > you have done that. > > On Sun, Mar 6, 2016 at 10:29 AM, Santiago Bassett <[email protected] > <javascript:>> wrote: > >> Most likely you just need to register the first agent, so >> /var/ossec/etc/client.keys gets created. You can use >> /var/ossec/bin/manage_agents to register it (use "add an agent" option). >> >> I hope it helps >> >> On Sun, Mar 6, 2016 at 9:41 AM, Tennisha tennisha <[email protected] >> <javascript:>> wrote: >> >>> I have tried to install ossec on three different vms and am not able to get >>> it to pick up modifications, additions, deletions of files. I am have tried >>> running it on security onion 14.04 machine and a non security onion >>> machine. I followed the instructions here >>> >>> https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04 >>> >>> and on two of the machines I am getting this process XXX not used by ossec >>> removing, ossec remoted not running error. Please advise >>> >>> >>> martin@martin-VirtualBox:~$ sudo /var/ossec/bin/ossec-control status >>> [sudo] password for martin: >>> ossec-monitord is running... >>> ossec-logcollector is running... >>> ossec-remoted: Process 1439 not used by ossec, removing .. >>> ossec-remoted not running... >>> ossec-syscheckd is running... >>> ossec-analysisd is running... >>> ossec-maild not running... >>> ossec-execd is running... >>> martin@martin-VirtualBox:~$ gdb /var/ossec/bin/ossec-remoted >>> GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 >>> Copyright (C) 2014 Free Software Foundation, Inc. >>> License GPLv3+: GNU GPL version 3 or later >>> <http://gnu.org/licenses/gpl.html> >>> This is free software: you are free to change and redistribute it. >>> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >>> and "show warranty" for details. >>> This GDB was configured as "x86_64-linux-gnu". >>> Type "show configuration" for configuration details. >>> For bug reporting instructions, please see: >>> <http://www.gnu.org/software/gdb/bugs/>. >>> Find the GDB manual and other documentation resources online at: >>> <http://www.gnu.org/software/gdb/documentation/>. >>> For help, type "help". >>> Type "apropos word" to search for commands related to "word"... >>> /var/ossec/bin/ossec-remoted: Permission denied. >>> (gdb) >>> (gdb) set follow-fork-mode child >>> (gdb) run -df >>> Starting program: -df >>> No executable file specified. >>> Use the "file" or "exec-file" command. >>> (gdb) t >>> No thread selected >>> (gdb) bt >>> No stack. >>> (gdb) >>> [1]+ Stopped gdb /var/ossec/bin/ossec-remoted >>> martin@martin-VirtualBox:~$ sudo gdb /var/ossec/bin/ossec-remoted >>> GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 >>> Copyright (C) 2014 Free Software Foundation, Inc. >>> License GPLv3+: GNU GPL version 3 or later >>> <http://gnu.org/licenses/gpl.html> >>> This is free software: you are free to change and redistribute it. >>> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >>> and "show warranty" for details. >>> This GDB was configured as "x86_64-linux-gnu". >>> Type "show configuration" for configuration details. >>> For bug reporting instructions, please see: >>> <http://www.gnu.org/software/gdb/bugs/>. >>> Find the GDB manual and other documentation resources online at: >>> <http://www.gnu.org/software/gdb/documentation/>. >>> For help, type "help". >>> Type "apropos word" to search for commands related to "word"... >>> Reading symbols from /var/ossec/bin/ossec-remoted...(no debugging symbols >>> found)...done. >>> (gdb) set follow-fork-mode child >>> (gdb) run -df >>> Starting program: /var/ossec/bin/ossec-remoted -df >>> [Thread debugging using libthread_db enabled] >>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". >>> 2016/03/06 12:31:23 ossec-remoted: DEBUG: Starting ... >>> 2016/03/06 12:31:23 ossec-remoted: INFO: Started (pid: 4504). >>> [New process 4508] >>> [Thread debugging using libthread_db enabled] >>> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". >>> 2016/03/06 12:31:23 ossec-remoted: DEBUG: Forking remoted: '0'. >>> 2016/03/06 12:31:23 ossec-remoted: INFO: Started (pid: 4508). >>> 2016/03/06 12:31:23 ossec-remoted: DEBUG: Running manager_init >>> [New Thread 0x7ffff6fba700 (LWP 4509)] >>> [New Thread 0x7ffff67b9700 (LWP 4510)] >>> 2016/03/06 12:31:24 ossec-remoted: INFO: (unix_domain) Maximum send buffer >>> set to: '16777216'. >>> 2016/03/06 12:31:24 ossec-remoted(4111): INFO: Maximum number of agents >>> allowed: '1024'. >>> 2016/03/06 12:31:24 ossec-remoted(1410): INFO: Reading authentication keys >>> file. >>> 2016/03/06 12:31:24 ossec-remoted(1402): ERROR: Authentication key file >>> '/etc/client.keys' not found. >>> 2016/03/06 12:31:24 ossec-remoted(1750): ERROR: No remote connection >>> configured. Exiting. >>> [Thread 0x7ffff6fba700 (LWP 4509) exited] >>> [Thread 0x7ffff7fe1740 (LWP 4508) exited] >>> [Inferior 2 (process 4508) exited with code 01] >>> (gdb) >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
