[ossec-list] Agent configuration management via central server
All, Apologies if this has been covered, but I sure couldn't find it :-) In my lab I have a central ossec 2.6 server on Ubuntu and one client on Centos, set them up with active response and followed procedure here: http://www.ossec.net/doc/manual/agent/agent-configuration.html agent.conf is written to the client upon restart of server and client ossec.conf is not overwritten This feels like a permissions error, agent.conf is owned by ossec:ossec and ossec.conf is owned by root:root and is not writable by other than root, this is default as far as I can tell and I don't want to muck with it unless I have to. Any help would be...helpful :-) -Thanks
Re: [ossec-list] Agent configuration management via central server
On Tue, Nov 27, 2012 at 7:29 PM, funwithossec h...@donobi.net wrote: All, Apologies if this has been covered, but I sure couldn't find it :-) In my lab I have a central ossec 2.6 server on Ubuntu and one client on Centos, set them up with active response and followed procedure here: http://www.ossec.net/doc/manual/agent/agent-configuration.html agent.conf is written to the client upon restart of server and client ossec.conf is not overwritten This feels like a permissions error, agent.conf is owned by ossec:ossec and ossec.conf is owned by root:root and is not writable by other than root, this is default as far as I can tell and I don't want to muck with it unless I have to. Any help would be...helpful :-) -Thanks What's the problem? You haven't identified it at all.
Re: [ossec-list] Agent configuration management via central server
If I am reading your problem - you are saying ossec.conf on the AGENT is not being overwritten -- if this is correct - then yes, it is not - it won't. Only agent.conf gets pushed to the agents. ossec.conf is set manually on agents, so if you expect it to get changes - you need to use puppet or some other method. cheers K On Wednesday, November 28, 2012 5:25:31 AM UTC-8, dan (ddpbsd) wrote: On Tue, Nov 27, 2012 at 7:29 PM, funwithossec ho...@donobi.netjavascript: wrote: All, Apologies if this has been covered, but I sure couldn't find it :-) In my lab I have a central ossec 2.6 server on Ubuntu and one client on Centos, set them up with active response and followed procedure here: http://www.ossec.net/doc/manual/agent/agent-configuration.html agent.conf is written to the client upon restart of server and client ossec.conf is not overwritten This feels like a permissions error, agent.conf is owned by ossec:ossec and ossec.conf is owned by root:root and is not writable by other than root, this is default as far as I can tell and I don't want to muck with it unless I have to. Any help would be...helpful :-) -Thanks What's the problem? You haven't identified it at all.
Re: [ossec-list] Agent configuration management via central server
On Wednesday, November 28, 2012 8:45:04 AM UTC-8, Kat wrote: If I am reading your problem - you are saying ossec.conf on the AGENT is not being overwritten -- if this is correct - then yes, it is not - it won't. Only agent.conf gets pushed to the agents. ossec.conf is set manually on agents, so if you expect it to get changes - you need to use puppet or some other method. cheers K Kat, Ahh, thanks for the answer, after I read Dan's comment I was pretty sure it would take a 3rd party mechanism to get agent.conf into ossec.conf. -Thanks all :-) On Wednesday, November 28, 2012 5:25:31 AM UTC-8, dan (ddpbsd) wrote: On Tue, Nov 27, 2012 at 7:29 PM, funwithossec ho...@donobi.net wrote: All, Apologies if this has been covered, but I sure couldn't find it :-) In my lab I have a central ossec 2.6 server on Ubuntu and one client on Centos, set them up with active response and followed procedure here: http://www.ossec.net/doc/manual/agent/agent-configuration.html agent.conf is written to the client upon restart of server and client ossec.conf is not overwritten This feels like a permissions error, agent.conf is owned by ossec:ossec and ossec.conf is owned by root:root and is not writable by other than root, this is default as far as I can tell and I don't want to muck with it unless I have to. Any help would be...helpful :-) -Thanks What's the problem? You haven't identified it at all.
Re: [ossec-list] Agent configuration management via central server
FYI - agent.conf extends the settings in ossec.conf. You should have a minimal set of instructions in ossec.conf, usually the server and those that will not function in agent.conf, i.e. full_command, etc. Scott On Nov 28, 2012, at 9:45 AM, funwithossec h...@donobi.net wrote: On Wednesday, November 28, 2012 8:45:04 AM UTC-8, Kat wrote: If I am reading your problem - you are saying ossec.conf on the AGENT is not being overwritten -- if this is correct - then yes, it is not - it won't. Only agent.conf gets pushed to the agents. ossec.conf is set manually on agents, so if you expect it to get changes - you need to use puppet or some other method. cheers K Kat, Ahh, thanks for the answer, after I read Dan's comment I was pretty sure it would take a 3rd party mechanism to get agent.conf into ossec.conf. -Thanks all :-) On Wednesday, November 28, 2012 5:25:31 AM UTC-8, dan (ddpbsd) wrote: On Tue, Nov 27, 2012 at 7:29 PM, funwithossec ho...@donobi.net wrote: All, Apologies if this has been covered, but I sure couldn't find it :-) In my lab I have a central ossec 2.6 server on Ubuntu and one client on Centos, set them up with active response and followed procedure here: http://www.ossec.net/doc/manual/agent/agent-configuration.html agent.conf is written to the client upon restart of server and client ossec.conf is not overwritten This feels like a permissions error, agent.conf is owned by ossec:ossec and ossec.conf is owned by root:root and is not writable by other than root, this is default as far as I can tell and I don't want to muck with it unless I have to. Any help would be...helpful :-) -Thanks What's the problem? You haven't identified it at all.