On Thu, Sep 28, 2017 at 10:31 AM, Oh Ar <perlh...@gmail.com> wrote: > Something I forgot to put in the original email, this is an RHEL7 VM, Linux > xxxxxx.xxxxxx.unm.edu 3.10.0-693.2.2.el7.x86_64 #1 SMP Sat Sep 9 03:55:24 > EDT 2017 x86_64 x86_64 x86_64 GNU/Linux > > On Wednesday, September 27, 2017 at 6:41:01 AM UTC-6, dan (ddpbsd) wrote: >> >> On Tue, Sep 26, 2017 at 1:41 PM, Oh Ar <perl....@gmail.com> wrote: >> > When I try to start the agent, I get a message that the logcollector >> > module >> > has failed. >> > >> > 2017/09/22 14:52:01 ossec-logcollector: Remote commands are not accepted >> > from the manager. Ignoring it on the agent.conf >> > 2017/09/22 14:52:01 ossec-logcollector(1202): ERROR: Configuration error >> > at >> > '/var/ossec/ossec-agent/etc/shared/agent.conf'. Exiting. >> > >> > This only happens when I have commands in the localfile section of the >> > agent.conf file, i.e.: >> > >> > >> > >> > <localfile> >> > <log_format>full_command</log_format> >> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | >> > sort</command> >> > <frequency>360</frequency> >> > </localfile> >> > >> > >> > When I take these out of the agent.conf file, the error goes away, but >> > from >> > reading the manual, it seems like I should be able to run these >> > commands. >> > >> >> Did you set "logcollector.remote_commands" to 1 in agent's >> "ossec/etc/local_internal_options.conf"? If this is set to 0 (the >> default), remote commands are not accepted by the agent. > > > That solved the problem. It seems odd that the default settings cause > errors, but, oh well. >
The default settings do not cause errors, there is no agent.conf by default (or at least not a populated one, I can't remember). >> >> > Another problem I'm having is that when I try to restart the agent, I >> > get >> > the following set of messages: >> > >> > 2017/09/22 14:52:01 ossec-syscheckd: WARN: Syscheck disabled. >> > 2017/09/22 14:52:01 rootcheck: Rootcheck disabled. Exiting. >> > 2017/09/22 14:52:01 ossec-syscheckd: WARN: Rootcheck module disabled. >> > >> > And I haven't had any luck with Google to find a solution. Every hit for >> > that phrase I've come up with has been for people who want to turn >> > syscheck >> > off, not people who were having trouble turning it on. >> > >> >> Do you have any <directories> defined in the agent's ossec.conf? I >> can't think of any other way to disable syscheck. > > > Actually, I found that there is an option for turning rootcheck and syscheck > off, which was set to do so. Again, weird default behaviour. > I have never had this happen by default. > But from the way <directories> sounds, would I be correct in guessing that > if I don't configure those, I won't actually be rootchecking or syschecking > anything? Do you have any documentation that says how to configure it? The > page on ossec.conf doesn't mention a directories option. > https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html has information on how to setup <directories>. How did you install OSSEC? There are some directories setup by default. >> >> > Lastly, I'm getting an email from the system every hour that has >> > messages >> > from every few seconds of the format: >> > OSSEC HIDS Notification. >> > 2017 Sep 22 14:41:01 >> > >> > Received From: (avtest) >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) >> > 10.234.199.51->/var/ossec/logs/alerts/alerts.log|(avtest) 10.234.199.51 >> > Rule: 503 fired (level 3) -> "Ossec agent started." >> > Portion of the log(s): >> > >> > ossec: Agent started: 'avtest->10.234.199.51'. >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > I don't know why it's telling me that the agent has started every 5 >> > seconds >> > or so, unless the agent is restarting every 5 seconds or so. And if the >> > agent is restarting every 5 seconds or so, I want to make it *stop*. :D >> > >> >> Never seen that issue, you can check the agent's ossec.log for clues >> as to what is happening. > > > > Sadly, no clues there. If it really is restarting every 5 seconds, it's not > logging it. > > So, where is the log that the emails are generated from? :) > Generally alerts.log, I believe. > Thanks in advance, > > -Sandro > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
