[ossec-list] report_changes - odd results

[Kat]

Hi all..

Here is an odd one. I have a folder with a few dozen subfolders. I
want to set up report_changes on all the subfolders with a specific
file in it - for example:

/opt/conf/*/*act_config

And it seems to work fine - but here is the odd part. The *sh_config
is a txt file in every folder, and this is verified. Sometimes the
report changes actually works and other times it only shows the
checksums changing, which I know if the checksum changes the contents
had to change.

So the question is simple -- any idea what might cause the
report_changes to work most of the time, but sometimes it only reports
checksum? How would you debug this?

Basically I have a system with 50-60 users and they each have one of
the config files and they change them from time to time. So I want to
know which user changed it and what the changed (so when they say I
didn't change anything I can tell them and show them.  But the
baffling part is this works 90% of the time, but every now and then,
as mentioned, it does not show the actual changes.

signed,
confused...

[ossec-list] RE: agent-auth not working - internal error

[Swartz, Patrick H]

Hi All,
I just realized I didn't specify which version of Ossec we are running, my 
apologies. 

Ossec 2.6 running on SUSE Enterprise 11sp1 64bit, with 4GB of RAM and 2 CPUs 
and currently 2281 active connections.

Thanks again for any help you can provide.  

Patrick Swartz



-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of Swartz, Patrick H
Sent: Friday, February 10, 2012 10:32 AM
To: ossec-list@googlegroups.com
Subject: [ossec-list] agent-auth not working - internal error


   Hi All
   I ran across an issue last night that I can't find an answer for.  In our 
environment we have 2 machines setup as Ossec servers (due to 
geographic/firewall rules), one of them responds fine when a client sends the 
key request using 'agent-auth -m 10.10.10.1 -D /opt/ossec, however, for 
clients trying to connect to the other we get an (internal error).
For example:
Log from the client -
INFO: Using agent name as: n1dpmmgr2
INFO: Send request to manager. Waiting for reply.
ERROR: Internal manager error adding agent: n1dpmmgr2 (from manager)
ERROR: Unable to add agent. (from manager)
INFO: Connection closed.

Corresponding log from the server (all that it is...):
2012/02/10 03:21:55 ossec-authd: ERROR: Unable to add agent: n1dpmmgr2 
(internal error)

We have tried, stopping/starting the Ossec server, stopping starting 
ossec-authd, even recompiled, but none helped.

One note of interest, for each time a client connects and requests a key, a 
[ossec-authd] defunct process would show up in a process listing.
 
Any and all help would be greatly appreciated! 

   Patrick Swartz




-
The information in this message may be proprietary and/or
confidential, and protected from disclosure.  If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify First Data
immediately by replying to this message and deleting it from your
computer. 

[ossec-list] Re: report_changes - odd results

[Kat]

That first paragraph should read the *act_config - not
*sh_config...
Sorry if that was confusing.

On Feb 13, 8:05 am, Kat uncommon...@gmail.com wrote:
 Hi all..

 Here is an odd one. I have a folder with a few dozen subfolders. I
 want to set up report_changes on all the subfolders with a specific
 file in it - for example:

 /opt/conf/*/*act_config

 And it seems to work fine - but here is the odd part. The *sh_config
 is a txt file in every folder, and this is verified. Sometimes the
 report changes actually works and other times it only shows the
 checksums changing, which I know if the checksum changes the contents
 had to change.