On Thu, Mar 29, 2018, 4:44 PM Neeraj Shah <neerajsha...@gmail.com> wrote:
> Hello All, > > Need some help. I am trying out ossec with Security Onion. The ossec > server comes preinstalled in Security Onion. I am now trying the agent > piece. I installed the v2.9.2 latest version agent on one of my Windows > client pc's, did the initial config and restarted the agent. From the > ossec server, the agent ID shows connected. So far so good. > > I then created the "/var/ossec/etc/shared/agent.conf" on the server, put > in a stanza for "os=windows" , saved the file and restarted the ossec > server. After waiting for a while, I checked the client PC & the agent.conf > didn't get created / deployed to the client. Infact, the agent logs on > client were showing this error message" XML Error /shared/agent.conf not > found" > > So i then went ahead and created the agent.conf manually on my client and > restarted the service again. The above XML error didn't show up this time > but even after waiting for 15 mins or so, the agent.conf is empty. It is > not downloading / syncing the changes from the agent.conf that's on the > ossec server. > > what could the reason be ? Any help appreciated > ================================================= > > Here is the result of md5check command: > > sudo /var/ossec/bin/agent_control -i 001 > > OSSEC HIDS agent_control. Agent information: > Agent ID: 001 > Agent Name: ENGG-WKS > IP address: 172.16.3.10 > Status: Active > > Operating system: Microsoft Windows 7 Business Edition Professional > Se.. > Client version: OSSEC HIDS v2.9.2 / > d41d8cd98f00b204e9800998ecf8427e > Last keep alive: Thu Mar 29 20:20:40 2018 > > root@securityonion:# md5sum /var/ossec/etc/shared/agent.conf > 9e4fb5a9b0ea944c19cedab71e860b54 /var/ossec/etc/shared/agent.conf > > Both checksums are different. > Check the permissions and ownership of the agent.conf on the agent. Check for the contents of agent.conf in the merged.mg on the agent. Try the 2.9.4 branch, I might have included a fix for this. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.