Thanks for your response. The only content in the folder is the *rcl.txt files, the rootkit files, agent.conf and ar.conf. They are all readable by the ossec group.
I have a similar set of files on the agent. I do have the "ossec-remoted: DEBUG Sending file 'merged.mg' to agent." log message in the manager logs. Is there anything else I can try? On Wednesday, 26 October 2016 12:23:38 UTC+1, Pedro S wrote: > > Hi Sean, > > OSSEC compress the whole /var/ossec/etc/shared directory, including the > agent.conf and push everything (merged.mg) to the agents. Sometimes if > you have something not entirely readable on that folder the push fails, > what content do you have in shared folder? > > Everytime a file is sent to the agent (in this case, merged.mg) a SUM > hash is sent on the package to verify that the received file has the same > MD5 than it had on the Manager, I think that check is the one failing on > your environment > > Do you have the output "Sending file 'filename' to agent." on your Manager > log? (Requires debug). > > > Best regards, > > Pedro S. > > > > On Tue, Oct 25, 2016 at 11:27 PM, Sean Mitchell <mitche...@gmail.com > <javascript:>> wrote: > >> Hi all, >> >> I've just set up a simple Alienvault server -> FreeBSD 10.3 OSSEC agent. >> I'm using OSSEC v2.8 on both machines. >> >> I've created a blank agent.conf for testing and enabled debug logging and >> every time I restart the agent and it tries to receive the agent.conf I get >> this error message on the agent. >> >> ossec-agentd: ERROR: Failed md5 for: /etc/shared/merged.mg -- deleting. >> >> No matter what I try, the agent.conf never shows up on the agent. I've >> ensured all the permissions are set accordingly and I can even see the >> merged.mg file briefly in the directory before it gets deleted. >> >> I've tired numerous agent.conf's on the server to be pushed and none seem >> to work - weirdly the blank config doesn't work either. >> >> Any ideas as to what to try? >> >> Thanks. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
