Created
November 23, 2011 01:52
-
-
Save cjs226span/1387701 to your computer and use it in GitHub Desktop.
Problem starting OSSEC agent using Chef ossec cookbook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2011/11/23 01:49:22 ossec-execd: INFO: Started (pid: 21856). | |
| 2011/11/23 01:49:22 ossec-agentd(1410): INFO: Reading authentication keys file. | |
| 2011/11/23 01:49:22 ossec-agentd(1750): ERROR: No remote connection configured. Exiting. | |
| 2011/11/23 01:49:25 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. | |
| 2011/11/23 01:49:25 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. | |
| 2011/11/23 01:49:31 ossec-logcollector(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. | |
| 2011/11/23 01:49:31 ossec-logcollector(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. | |
| 2011/11/23 01:49:33 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. | |
| 2011/11/23 01:49:33 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. | |
| 2011/11/23 01:49:46 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/queue' not accessible: 'Connection refused'. | |
| 2011/11/23 01:49:46 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. | |
| Contents of /var/ossec/etc/ossec.conf: | |
| <ossec_config> | |
| <global> | |
| <email_notification>yes</email_notification> | |
| <email_to>clif@example.com</email_to> | |
| <smtp_server>localhost</smtp_server> | |
| <email_from>ossecm@i-3f85c55c</email_from> | |
| </global> | |
| <client> | |
| <server-ip>10.0.0.11</server-ip> | |
| </client> | |
| <remote> | |
| <connection>secure</connection> | |
| </remote> | |
| <rules> | |
| <include>rules_config.xml</include> | |
| <include>pam_rules.xml</include> | |
| <include>sshd_rules.xml</include> | |
| <include>telnetd_rules.xml</include> | |
| <include>syslog_rules.xml</include> | |
| <include>arpwatch_rules.xml</include> | |
| <include>symantec-av_rules.xml</include> | |
| <include>symantec-ws_rules.xml</include> | |
| <include>pix_rules.xml</include> | |
| <include>named_rules.xml</include> | |
| <include>smbd_rules.xml</include> | |
| <include>vsftpd_rules.xml</include> | |
| <include>pure-ftpd_rules.xml</include> | |
| <include>proftpd_rules.xml</include> | |
| <include>ms_ftpd_rules.xml</include> | |
| <include>ftpd_rules.xml</include> | |
| <include>hordeimp_rules.xml</include> | |
| <include>roundcube_rules.xml</include> | |
| <include>wordpress_rules.xml</include> | |
| <include>cimserver_rules.xml</include> | |
| <include>vpopmail_rules.xml</include> | |
| <include>vmpop3d_rules.xml</include> | |
| <include>courier_rules.xml</include> | |
| <include>web_rules.xml</include> | |
| <include>apache_rules.xml</include> | |
| <include>nginx_rules.xml</include> | |
| <include>php_rules.xml</include> | |
| <include>mysql_rules.xml</include> | |
| <include>postgresql_rules.xml</include> | |
| <include>ids_rules.xml</include> | |
| <include>squid_rules.xml</include> | |
| <include>firewall_rules.xml</include> | |
| <include>cisco-ios_rules.xml</include> | |
| <include>netscreenfw_rules.xml</include> | |
| <include>sonicwall_rules.xml</include> | |
| <include>postfix_rules.xml</include> | |
| <include>sendmail_rules.xml</include> | |
| <include>imapd_rules.xml</include> | |
| <include>mailscanner_rules.xml</include> | |
| <include>dovecot_rules.xml</include> | |
| <include>ms-exchange_rules.xml</include> | |
| <include>racoon_rules.xml</include> | |
| <include>vpn_concentrator_rules.xml</include> | |
| <include>spamd_rules.xml</include> | |
| <include>msauth_rules.xml</include> | |
| <include>mcafee_av_rules.xml</include> | |
| <include>trend-osce_rules.xml</include> | |
| <include>ms-se_rules.xml</include> | |
| <!-- <include>policy_rules.xml</include> --> | |
| <include>zeus_rules.xml</include> | |
| <include>solaris_bsm_rules.xml</include> | |
| <include>vmware_rules.xml</include> | |
| <include>ms_dhcp_rules.xml</include> | |
| <include>asterisk_rules.xml</include> | |
| <include>ossec_rules.xml</include> | |
| <include>attack_rules.xml</include> | |
| <include>local_rules.xml</include> | |
| </rules> | |
| <syscheck> | |
| <!-- Frequency that syscheck is executed - default to every 22 hours --> | |
| <frequency>79200</frequency> | |
| <!-- Directories to check (perform all possible verifications) --> | |
| <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> | |
| <directories check_all="yes">/bin,/sbin</directories> | |
| <!-- Files/directories to ignore --> | |
| <ignore>/etc/mtab</ignore> | |
| <ignore>/etc/mnttab</ignore> | |
| <ignore>/etc/hosts.deny</ignore> | |
| <ignore>/etc/mail/statistics</ignore> | |
| <ignore>/etc/random-seed</ignore> | |
| <ignore>/etc/adjtime</ignore> | |
| <ignore>/etc/httpd/logs</ignore> | |
| <ignore>/etc/utmpx</ignore> | |
| <ignore>/etc/wtmpx</ignore> | |
| <ignore>/etc/cups/certs</ignore> | |
| <ignore>/etc/dumpdates</ignore> | |
| <ignore>/etc/svc/volatile</ignore> | |
| <!-- Windows files to ignore --> | |
| <ignore>C:\WINDOWS/System32/LogFiles</ignore> | |
| <ignore>C:\WINDOWS/Debug</ignore> | |
| <ignore>C:\WINDOWS/WindowsUpdate.log</ignore> | |
| <ignore>C:\WINDOWS/iis6.log</ignore> | |
| <ignore>C:\WINDOWS/system32/wbem/Logs</ignore> | |
| <ignore>C:\WINDOWS/system32/wbem/Repository</ignore> | |
| <ignore>C:\WINDOWS/Prefetch</ignore> | |
| <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore> | |
| <ignore>C:\WINDOWS/SoftwareDistribution</ignore> | |
| <ignore>C:\WINDOWS/Temp</ignore> | |
| <ignore>C:\WINDOWS/system32/config</ignore> | |
| <ignore>C:\WINDOWS/system32/spool</ignore> | |
| <ignore>C:\WINDOWS/system32/CatRoot</ignore> | |
| </syscheck> | |
| <rootcheck> | |
| <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> | |
| <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> | |
| <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> | |
| <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> | |
| <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> | |
| <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> | |
| </rootcheck> | |
| <alerts> | |
| <log_alert_level>1</log_alert_level> | |
| <email_alert_level>7</email_alert_level> | |
| </alerts> | |
| <command> | |
| <name>host-deny</name> | |
| <executable>host-deny.sh</executable> | |
| <expect>srcip</expect> | |
| <timeout_allowed>yes</timeout_allowed> | |
| </command> | |
| <command> | |
| <name>firewall-drop</name> | |
| <executable>firewall-drop.sh</executable> | |
| <expect>srcip</expect> | |
| <timeout_allowed>yes</timeout_allowed> | |
| </command> | |
| <command> | |
| <name>disable-account</name> | |
| <executable>disable-account.sh</executable> | |
| <expect>user</expect> | |
| <timeout_allowed>yes</timeout_allowed> | |
| </command> | |
| <command> | |
| <name>restart-ossec</name> | |
| <executable>restart-ossec.sh</executable> | |
| <expect></expect> | |
| </command> | |
| <command> | |
| <name>route-null</name> | |
| <executable>route-null.sh</executable> | |
| <expect>srcip</expect> | |
| <timeout_allowed>yes</timeout_allowed> | |
| </command> | |
| <!-- Files to monitor (localfiles) --> | |
| <localfile> | |
| <log_format>syslog</log_format> | |
| <location>/var/log/messages</location> | |
| </localfile> | |
| <localfile> | |
| <log_format>syslog</log_format> | |
| <location>/var/log/auth.log</location> | |
| </localfile> | |
| <localfile> | |
| <log_format>syslog</log_format> | |
| <location>/var/log/syslog</location> | |
| </localfile> | |
| <localfile> | |
| <log_format>syslog</log_format> | |
| <location>/var/log/mail.info</location> | |
| </localfile> | |
| </ossec_config> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I verified the client can communicate with the server as the server has a copy of the agent's key in /var/ossec/etc/client.keys