which agent reported the event?

Customer support forums for Atomic OSSEC. There is no such thing as a bad question here. New customers feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
dkoleary
New Forum User
New Forum User
Posts: 2
Joined: Wed Jun 12, 2019 2:33 pm
Location: Chicago IL, USA

which agent reported the event?

Unread post by dkoleary »

Hey;

New atomicorp customer - at least will be once the PO's cut - and am working on a freshly installed POC implementation with 6 clients atm.

Within the ASL security events browser, how do I identify the agent that's reporting an event? Example: I see this event in the alert log:
** Alert 1560366039.18365655: - ossec,rootcheck,
2019 Jun 12 15:00:39 walvdevmpwl2854
Rule: 510 (level 6) -> 'Host-based anomaly detection event (rootcheck).'
File '/etc/init/swiagent.update.override' is owned by root and has written permissions to anyone.
title: File is owned by root and has written permissions to anyone.
file: /etc/init/swiagent.update.override
From that, I can easily tell the source agent is walvdevmpwl2854. When looking at the security events browser and the details for event 1560366039.18365655 - nothing says 'walvdevmpwl2854'.

Did I miss a configuration somewhere?

Thanks

Doug O'Leary
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: which agent reported the event?

Unread post by mikeshinn »

Doug I see whats happening, it is a setting but a bug is causing it to be hidden in the current GUI. We're pushing an update out into QA to enable this column, and itll be in the testing channel Monday. As soon as its available I'll post that its out. Youll be able to install the update from "testing" by switching the repo and I'll post the instructions to use that repo.

Once it goes from testing to the stable repo, the hub will upgrade automatically.
dkoleary
New Forum User
New Forum User
Posts: 2
Joined: Wed Jun 12, 2019 2:33 pm
Location: Chicago IL, USA

Re: which agent reported the event?

Unread post by dkoleary »

Excellent, sir! Thank you very much.

Doug
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: which agent reported the event?

Unread post by mikeshinn »

Just a followup, the QA build will be released tomorrow into testing.
jgodwin
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 39
Joined: Mon Sep 14, 2009 12:15 pm

Re: which agent reported the event?

Unread post by jgodwin »

The QA build may be installed with the following command:

Code: Select all

yum -y --enablerepo=asl-4.0-testing upgrade asl
This update will be in the normal release channel on Monday.
Post Reply