This has proved an annoyance for the past several days, and I have yet to figure out the root cause.
In a lab, I've setup two virtual machines, an OSSEC Server Appliance and a Windows 7 x64 Enterprise SP1 client.
Both seem to work quite well when they do their own things. If I have an extensive configuration file on the Windows client, the agent reads it, and does what is required.
The issue comes about when I attempt to centralize the configuration to the "manager" or OSSEC Server Appliance.
[root@ossec etc]# md5sum /var/ossec/etc/shared/agent.conf
9cc4c937f4eae011ecbccf4468973133 /var/ossec/etc/shared/agent.conf
[root@ossec etc]# /var/ossec/bin/agent_control -i 004
OSSEC HIDS agent_control. Agent information:
Agent ID: 004
Agent Name: ABC
IP address: 192.168.0.93
Status: Active
Operating system: Microsoft Windows 7 Enterprise Edition Professional ..
Client version: OSSEC HIDS v2.9.0 / cd66e10fca4cc1dc4c459a1f05f9b2d1
Last keep alive: Sat Oct 7 22:52:09 2017
Syscheck last started at: Sat Oct 7 21:35:12 2017
Rootcheck last started at: Sat Oct 7 22:27:19 2017
[root@ossec etc]#
To no surprise, the configurations are not at the same version.
What should be an easy fix of restarting both the appliance and Windows agent (and waiting a few minutes) turns out not to be the case.
From reading the documentation, I have come to the understanding the agent will attempt to merge the centralized configuration:
<agent_config name="ABC">
<localfile>
<location>/var/log/my.log2</location>
<log_format>syslog2</log_format>
</localfile>
</agent_config>
<agent_config os="Linux">
<localfile>
<location>/var/log/my.log2</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config os="Windows">
<!-- This is a test config -->
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Additional contents are in here. -->
<active-response>
<disabled>no</disabled>
</active-response>
</agent_config>
With the one in has locally. Here is the agent's configuration (ossec.conf):
<ossec_config>
<active-response>
<disabled>no</disabled>
</active-response>
<client>
<server-ip>192.168.0.21</server-ip>
<notify_time>120</notify_time>
<time-reconnect>240</time-reconnect>
</client>
</ossec_config>
and the agent.conf file in the shared folder on the agent:
<agent_config>
<localfile>
<location>/var/log/my.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
I can see from the log, that the merging is not taking place, it's running the local copy:
2017/10/08 00:06:52 ossec-agentd: INFO: Trying to connect to server 192.168.0.21, port 1514.
2017/10/08 00:06:52 INFO: Connected to 192.168.0.21 at address 192.168.0.21:1514, port 1514
2017/10/08 00:06:52 ossec-agent: Starting syscheckd thread.
2017/10/08 00:06:52 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
2017/10/08 00:06:52 ossec-syscheckd: WARN: Syscheck disabled.
2017/10/08 00:06:52 ossec-rootcheck: INFO: Started (pid: 2512).
2017/10/08 00:06:52 ossec-syscheckd: INFO: Started (pid: 2512).
2017/10/08 00:06:53 ossec-agentd(4102): INFO: Connected to server 192.168.0.21, port 1514.
2017/10/08 00:06:53 ossec-agent: INFO: System is Vista or newer (Microsoft Windows 7 Enterprise Edition Professional Service Pack 1 (Build 7601) - OSSEC HIDS v2.9.0).
2017/10/08 00:06:53 ossec-logcollector(1103): ERROR: Could not open file '/var/log/my.log' due to [(9)-(Bad file descriptor)].
2017/10/08 00:06:53 ossec-logcollector(1950): INFO: Analyzing file: '/var/log/my.log'.
In the end it doesn't seem to be a case of the agent/manager being unable to:
- Connect to each other.
- Parse the configuration files.
- Send data back and forth (triggered rules).
- Verify which version of the configuration file it's using.
- Merge configurations (I see a merged.mg file periodically of 0KB on the agent).
Did I fail to set an option on the appliance/manager, or is the problem elsewhere?