[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] RE : RE : RE : RE : Installing a pre-compiled agent on another machine

Coooool, agents are working now ! Ahmet, I had not forgotten authentication
keys on agents, but I was prefering to test running agents before going
further. I did not think that agents would not start without auth keys !

So, thanks !

But now, I have another problem, with server. I don't want active responses
(too dangerous on production servers), and "install.sh" puts following in
config file:

	<active-response>
  		<disabled>yes</disabled>
	</active-response>

But when I start:

2006/03/24 16:13:03 ossec-analysisd(1229): Invalid element 'disabled' on the
'active-response' config.
2006/03/24 16:13:03 ossec-analysisd(1202): Configuration problem. Exiting.

As server is a prod machine, I don't want to do tests... What is exact
syntax ?

==> Note to Daniel B. Cid: don't forget to correct this (very) little bug in
next release !

As usual, thanks very much for your help.

Fred


-----Original Message-----
From: ahmet ozturk [mailto:oahmet at metu.edu.tr] 
Sent: Friday, March 24, 2006 2:54 PM
To: Fred
Cc: ossec-list at ossec.net
Subject: Re: RE : [Ossec-list] RE : RE : Installing a pre-compiled agent on
another machine


Hi Fred,

Your ossec.log file says that there is no "client.keys" file.
(2006/03/24 12:56:27 shared(1402): Authentication key file 
'/etc/client.keys' not found.)

The server and agent communicate with each other in
encrypted way. So there should be a shared key on
both server and agent.
You may generate the key for a client on the server 
and add it onto client by using manage_agents utility.

Please follow the steps described at:
http://www.ossec.net/en/manual.html#manageagents

Regards,

~ahmet.


On Fri, Mar 24, 2006 at 02:25:54PM +0100, Fred wrote:
> Here they are !
> 
> Thanks very much.
> 
> Fred
> 
> PS: Note that in ossec.conf, I put some "XXX" to hide some critical
> informations.
> 
> 
> -----Original Message-----
> From: ahmet ozturk [mailto:oahmet at metu.edu.tr] 
> Sent: Friday, March 24, 2006 1:41 PM
> To: Fred
> Cc: ossec-list at ossec.net
> Subject: Re: [Ossec-list] RE : RE : Installing a pre-compiled agent on
> another machine
> 
> 
> Hi Fred,
> 
> Considering your previous e-mail, you should add  "ossec" user
> on agent systems. So please be sure about that. 
> In addition to that "ossec-agentd", "ossec-logcollector" and 
> "ossec-execd" should be running.
> 
> File permissions on one of my systems look like:
> queen:/var/ossec # ls -al
> total 72
> dr-xr-x---   9 root     ossec           512 Feb 18 14:55 .
> drwxr-xr-x  25 root     system          512 Feb 18 14:55 ..
> dr-xr-x---   3 root     ossec           512 Feb 18 14:55 active-response
> dr-xr-x---   2 root     ossec           512 Feb 18 14:55 bin
> dr-xr-x---   2 root     ossec           512 Feb 21 09:11 checksum_db
> dr-xr-x---   3 root     ossec           512 Feb 18 14:57 etc
> drwxr-x---   2 ossec    ossec           512 Feb 18 14:55 logs
> dr-xr-x---   4 root     ossec           512 Feb 18 14:55 queue
> dr-xr-x---   3 root     ossec           512 Feb 18 14:55 var
> 
> 
> Can you send us ossec.conf and ossec.log files of the agent
> and server? 
> 
> Regards,
> 
> ~ahmet.
> 
> On Fri, Mar 24, 2006 at 01:17:19PM +0100, Fred wrote:
> > I exported following on new machine:
> > 
> > 	/var/ossec
> > 	/etc/rc.d/init.d/ossec
> > 
> > .....and tried to run Ossec, but I have a problem:
> > 
> > 	#./bin/ossec-control status
> > 	ossec-execd is running...
> > 	ossec-agentd not running...
> > 	ossec-logcollector not running...
> > 	ossec-syscheckd not running...
> > 
> > In /var/ossec/logs, there are several messages like this:
> > 
> > 	ossec-syscheckd(1210): Queue '/var/ossec/queue/ossec/queue' not
> > accessible.
> > 
> > If somebody could help me, please.
> > 
> > Thanks
> > 
> > Fred
> > 
> > 
> > -----Original Message-----
> > From: ossec-list-bounces at ossec.net [mailto:ossec-list-bounces at ossec.net]
> On
> > Behalf Of Fred
> > Sent: Friday, March 24, 2006 12:24 PM
> > To: ossec-list at ossec.net
> > Subject: [Ossec-list] RE : Installing a pre-compiled agent on another
> > machine
> > 
> > 
> > Thanks for the answer.
> > 
> > Another question: should/must I create a user and a group "ossec" on
> servers
> > ? If yes, how should I use them (to be secure):
> > 
> > 	- give root user rights to /var/ossec (default)
> > 	- give ossec group rights to /var/ossec (default)
> > 	- other...?
> > 
> > Thanks.
> > 
> > Fred
> > 
> > PS: I'll write a small "how to export pre-compiled agent"
> > 
> > 
> > -----Original Message-----
> > From: ahmet ozturk [mailto:oahmet at metu.edu.tr] 
> > Sent: Thursday, March 23, 2006 4:17 PM
> > To: Fred
> > Cc: ossec-list at ossec.net
> > Subject: Re: [Ossec-list] Installing a pre-compiled agent on another
> machine
> > 
> > 
> > Hi Fred,
> > 
> > ossec client-installation installes the following binaries:
> > 
> > - manage_agents
> > - ossec-control
> > - ossec-logcollector
> > - ossec-agentd
> > - ossec-execd
> > - ossec-syscheckd
> > 
> > I think easiest way to do what you want would be make a prototype
> > installation on a client and copy the entire /var/ossec directory 
> > on to  other client  machines.
> > 
> > then you should add the new client on server, extract its key and
> > import it in the client.
> > (please see: http://www.ossec.net/en/manual.html#manageagents)
> > 
> > also don't forget to customize the /var/ossec/etc/ossec.conf file
> > for localfiles, active responses, etc.
> > 
> > Regards,
> > 
> > ~ahmet.
> > 
> > 
> > 
> > 
> > _______________________________________________
> > ossec-list mailing list
> > ossec-list at ossec.net
> > http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
> > 
> > _______________________________________________
> > ossec-list mailing list
> > ossec-list at ossec.net
> > http://mailman.underlinux.com.br/mailman/listinfo/ossec-list

> 2006/03/24 12:56:26 ossec-execd(1225): SIGNAL Received. Exit Cleaning...
> 2006/03/24 12:56:27 ossec-execd: Started (pid: 1802).
> 2006/03/24 12:56:27 shared(1402): Authentication key file
'/etc/client.keys' not found.
> 2006/03/24 12:56:33 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 12:56:33 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 12:56:36 ossec-logcollector(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 12:56:36 ossec-logcollector(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..
> 2006/03/24 12:56:41 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 12:56:41 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 12:56:54 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 12:56:54 ossec-syscheckd(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..
> 2006/03/24 13:11:47 ossec-execd(1225): SIGNAL Received. Exit Cleaning...
> 2006/03/24 13:11:55 ossec-execd: Started (pid: 1937).
> 2006/03/24 13:11:55 shared(1402): Authentication key file
'/etc/client.keys' not found.
> 2006/03/24 13:12:01 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 13:12:01 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 13:12:04 ossec-logcollector(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 13:12:04 ossec-logcollector(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..
> 2006/03/24 13:12:09 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 13:12:09 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 13:12:22 ossec-syscheckd(1210): Queue
'/var/ossec/queue/ossec/queue' not accessible.
> 2006/03/24 13:12:22 ossec-syscheckd(1211): Unable to access queue:
'/var/ossec/queue/ossec/queue'. Giving up..

> <client>
>   <server-ip>10.XXX.XXX.XXX</server-ip>
> </client>
> 
> <syscheck>
>   <daemon>yes</daemon>
>
<directories>/bin,/boot,/dev,/etc,/initrd,/lib,/media,/misc,/mnt,/opt,/root,
/sbin,/selinux,/srv,/sys,/usr,/var,/ossec/bin,/var/ossec/etc,/var/www,/var/l
ib,/var/local,/home/tomcat/jakarta-tomcat-5.0.28,/home/apache/MajCRL/bin,/ho
me/apache/MajCRL/conf</directories>
>   <notify>queue</notify>
>   <ignore>/etc/mtab</ignore>
>   <ignore>/var/infos-XXX/images</ignore>
>   <ignore>/var/infos-XXX/pages</ignore>
>   <ignore>/var/infos-XXX/pdf</ignore>
>   <ignore>/var/infos-XXX/images</ignore>
>   <ignore>/var/infos-XXX/pages</ignore>
>   <ignore>/var/infos-XXX/pdf</ignore>
>   <ignore>/var/infos-XXX/images</ignore>
>   <ignore>/var/infos-XXX/pages</ignore>
>   <ignore>/var/infos-XXX/pdf</ignore>
>   <ignore>/var/infos-XXX/images</ignore>
>   <ignore>/var/infos-XXX/pages</ignore>
>   <ignore>/var/infos-XXX/pdf</ignore>
>   <ignore>/home/tomcat/jakarta-tomcat-5.0.28/logs</ignore>
>   <ignore>/home/tomcat/jakarta-tomcat-5.0.28/work</ignore>
>   <ignore>/home/tomcat/jakarta-tomcat-5.0.28/temp</ignore>
> </syscheck>
> 
> <rootcheck>
>   <notify>queue</notify>
>   <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
> </rootcheck>
> 
> <localfile>
>   <log_format>syslog</log_format>
>   <location>/var/log/messages</location>
> </localfile>
> 
> <localfile>
>   <log_format>syslog</log_format>
>   <location>/var/log/secure</location>
> </localfile>
OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.