On Mon, Aug 17, 2020 at 10:42 PM Daniel Gerep <ge...@cloudwalk.io> wrote: > > Hi all, > > I am starting to use OSSEC so I may be doing something wrong here. > > I have OSSEC installed as a server in my Linux VM and the Agent in my Windows > Server 2012 VM. > > My server has the default configuration plus this: > > <command> > <name>ossec-slack</name> > <executable>ossec-slack.sh</executable> > <expect></expect> <!-- no expect args required --> > <timeout_allowed>no</timeout_allowed> > </command> > > <active-response> > <disabled>no</disabled> > <command>ossec-slack</command> > <location>local</location> > <level>3</level> > </active-response> > > <remote> > <connection>secure</connection> > </remote> > > In my Server, using the agent_control I can see my agent is active > > [root@gateway1-proxy bin]# ./agent_control -l > > OSSEC HIDS agent_control. List of available agents: > ID: 000, Name: gateway1-proxy (server), IP: 127.0.0.1, Active/Local > ID: 001, Name: clearing-optimizer, IP: XX.XX.X.X, Active > > With that, I believe my server and agent are communicating as expected. >
You can look for alerts for log messages sent by the agent in /var/ossec/logs/alerts/alerts.log on the server. If there aren't any, turning on the log all option and checking archives.log would be my next step. > In my server's log, I have a lot of: > > 2020/08/17 19:25:18 ossec-remoted: WARN: Duplicate error: global: 22, local: > 7947, saved global: 22, saved local:7948 > 2020/08/17 19:25:18 ossec-remoted(1407): ERROR: Duplicated counter for > 'clearing-optimizer'. > > I have found an old post here in this group and applied the suggestion but > the same error appears again after a while. I have also tried removing the > agent and adding again, with a different ID and name but again, after a > while, the error appears. > I'm not sure why that would be happening over and over, but you might have to disable rids support entirely (set remoted.verify_msg_id=0 in /var/ossec/etc/local_internal_options.conf). > In my agent, I have the default configuration plus this: > > <active-response> > <disabled>no</disabled> > <location>server</location> > <level>3</level> > </active-response> > > So, in my understanding, this is sending any active-response event to the > server, is that correct? > That's not how it works. The agent monitors its own log files. When a new entry is written, the agent sends the log message to the server. The server then decodes the log message and compares it to its set of rules. If a rule is triggered, an alert is created. If that alert triggers an active response, the server sends a message to the configured active response location. In the case of the slack script, I believe it's run locally on the server (it's been a long time since I looked at the script). > Also, another question, is there a way to trigger an event in my agent > (Windows) so I can check if the server is receiving the notification > correctly? > Fail to login a few times would trigger a log message. These log messages should trigger alerts on the ossec server for that agent. > Thank you. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/010078f3-af73-4b7d-ba9c-88bf1f1694b0n%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMp8bWDvO_oQy1TiP%3DOvq2Ax6uUAKpisCfXSzmd3EMORzg%40mail.gmail.com.
