[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: How backup and restore OSSEC agent
From: "McClinton, Rick" <rmcclinton () tmaresources ! com>
Date: 2009-01-14 20:15:05
Message-ID: D7B89A5C74DA8347812B01FB75583E740370382EA0 () tmar-ex1 ! mc ! tmaresources ! com
[Download RAW message or body]
The procedure to upgrade OSSEC is to install over the present version; the =
scripts detect an upgrade and act appropriately. However, I have not seen a=
procedure to backup for disaster recovery. I am relying on my regular oper=
ating system tape backup.
Rick
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On B=
ehalf Of Macie Lee
Sent: Wednesday, January 14, 2009 2:09 PM
To: ossec-list@googlegroups.com
Subject: [ossec-list] How backup and restore OSSEC agent
Importance: Low
Hi All,
I am trying to come up with the procedure to use to backup and restore OSSE=
C agent on Linux. Suppose this is the case of that OSSEC agent already runn=
ing connected OSSEC server, and there is new OSSEC release that we like to =
update. These are the steps I followed, but I failed to bring up the new os=
sec agent after update and restore the needed files: Please let me know wha=
t I had missed
1. backup the following files/directory before remove the older version of =
OSSEC agent
/opt/mcp/ossec/etc/ossec.conf
/opt/mcp/ossec/etc/client.keys
/opt/mcp/ossec/queue/rids ---- the whole dir
2. stop the ossec agent, then remove the ossec agent, ( I built the ossec a=
gent into rpm package, so it is installed with rpm install, removed with rp=
m -e)
3. Install the ossec agent again( rpm -ivh <the ossec agent rpm I built)
4. Restore the files backed up from step 1
5. Restart the ossec agent ( ossec-control start)
These are the error display I got:
[root@zngdy183 bin]# ./ossec-control start
Starting OSSEC HIDS v1.6.1 (by Third Brigade, Inc.)...
Deleting PID file '/opt/mcp/ossec/var/run/ossec-logcollector*.pid' not used=
...
2009/01/14 13:02:15 ossec-syscheckd(1702): INFO: No directory provided for =
syscheck to monitor.
Started ossec-execd...
Started ossec-agentd...
Started ossec-logcollector...
2009/01/14 13:02:15 ossec-syscheckd(1702): INFO: No directory provided for =
syscheck to monitor.
2009/01/14 13:02:15 ossec-syscheckd: WARN: Syscheck disabled.
2009/01/14 13:02:18 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'Connection refused'.
2009/01/14 13:02:18 ossec-rootcheck(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'Connection refused'.
2009/01/14 13:02:26 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'Connection refused'.
2009/01/14 13:02:26 ossec-rootcheck(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'Connection refused'.
2009/01/14 13:02:39 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'Connection refused'.
2009/01/14 13:02:39 ossec-rootcheck(1211): ERROR: Unable to access queue: '=
/opt/mcp/ossec/queue/ossec/queue'. Giving up..
Then I removed the /opt/mcp/ossec/queue/ossec/queue:
I got the following error:
[root@zngdy183 bin]# rm -f /opt/mcp/ossec/queue/ossec/queue
[root@zngdy183 bin]# ./ossec-control start
Starting OSSEC HIDS v1.6.1 (by Third Brigade, Inc.)...
Deleting PID file '/opt/mcp/ossec/var/run/ossec-logcollector*.pid' not used=
...
2009/01/14 13:03:29 ossec-syscheckd(1702): INFO: No directory provided for =
syscheck to monitor.
Started ossec-execd...
Started ossec-agentd...
Started ossec-logcollector...
2009/01/14 13:03:29 ossec-syscheckd(1702): INFO: No directory provided for =
syscheck to monitor.
2009/01/14 13:03:29 ossec-syscheckd: WARN: Syscheck disabled.
2009/01/14 13:03:35 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'Queue not found'.
2009/01/14 13:03:50 ossec-rootcheck(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'No such file or directory'.
2009/01/14 13:04:01 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'Queue not found'.
2009/01/14 13:04:16 ossec-rootcheck(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'No such file or directory'.
2009/01/14 13:04:32 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/que=
ue/ossec/queue' not accessible: 'Queue not found'.
2009/01/14 13:04:47 ossec-rootcheck(1211): ERROR: Unable to access queue: '=
/opt/mcp/ossec/queue/ossec/queue'. Giving up..
I have tried to backup the /opt/mcp/ossec/queue/ossec/queue then restore, t=
hat did not help. Restart the server, then try start the agent did not hel=
p either.
Any help would be greatly appreciated.
Thanks,
Macie
This message contains TMA Resources confidential information and is intende=
d only for the individual named. If you are not the named addressee you sho=
uld not disseminate, distribute or copy this e-mail. Please notify the send=
er immediately by e-mail if you have received this e-mail by mistake and de=
lete this e-mail from your system. E-mail transmission cannot be guaranteed=
to be secure or error-free as information could be intercepted, corrupted,=
lost, destroyed, arrive late or incomplete, or contain viruses. The sender=
therefore does not accept liability for any errors or omissions in the con=
tents of this message which arise as a result of e-mail transmission. If ve=
rification is required please request a hard-copy version.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:x="urn:schemas-microsoft-com:office:excel" \
xmlns:p="urn:schemas-microsoft-com:office:powerpoint" \
xmlns:a="urn:schemas-microsoft-com:office:access" \
xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" \
xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" \
xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" \
xmlns:b="urn:schemas-microsoft-com:office:publisher" \
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" \
xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" \
xmlns:odc="urn:schemas-microsoft-com:office:odc" \
xmlns:oa="urn:schemas-microsoft-com:office:activation" \
xmlns:html="http://www.w3.org/TR/REC-html40" \
xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" \
xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" \
xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" \
xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" \
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" \
xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" \
xmlns:udc="http://schemas.microsoft.com/data/udc" \
xmlns:xsd="http://www.w3.org/2001/XMLSchema" \
xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" \
xmlns:ec="http://www.w3.org/2001/04/xmlenc#" \
xmlns:sp="http://schemas.microsoft.com/sharepoint/" \
xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" \
xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" \
xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" \
xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" \
xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" \
xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" \
xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" \
xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" \
xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" \
xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" \
xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" \
xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" \
xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" \
xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" \
xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="Section1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"; \
color:#1F497D">The procedure to upgrade OSSEC is to install over the present version; \
the scripts detect an upgrade and act appropriately. However, I have not seen a \
procedure to backup for disaster recovery. I am relying on my regular operating \
system tape backup.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"; \
color:#1F497D">Rick<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"; \
color:#1F497D"><o:p> </o:p></span></p> <div style="border:none;border-top:solid \
#B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"> <p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> \
ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] <b>On Behalf Of \
</b>Macie Lee<br> <b>Sent:</b> Wednesday, January 14, 2009 2:09 PM<br>
<b>To:</b> ossec-list@googlegroups.com<br>
<b>Subject:</b> [ossec-list] How backup and restore OSSEC agent<br>
<b>Importance:</b> Low<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi All,<br>
<br>
I am trying to come up with the procedure to use to backup and restore OSSEC agent on \
Linux. Suppose this is the case of that OSSEC agent already running connected OSSEC \
server, and there is new OSSEC release that we like to update. These are the steps I \
followed, but I failed to bring up the new ossec agent after update and restore the \
needed files: Please let me know what I had missed<br> <br>
1. backup the following files/directory before remove the older version of OSSEC \
agent<br> /opt/mcp/ossec/etc/ossec.conf<br>
/opt/mcp/ossec/etc/client.keys<br>
/opt/mcp/ossec/queue/rids ---- the whole dir<br>
<br>
2. stop the ossec agent, then remove the ossec agent, ( I built the ossec agent into \
rpm package, so it is installed with rpm install, removed with rpm -e)<br> <br>
3. Install the ossec agent again( rpm -ivh <the ossec agent rpm I built)<br>
<br>
4. Restore the files backed up from step 1<br>
<br>
5. Restart the ossec agent ( ossec-control start) <br>
<br>
<br>
These are the error display I got:<br>
<br>
[root@zngdy183 bin]# ./ossec-control start<br>
Starting OSSEC HIDS v1.6.1 (by Third Brigade, Inc.)...<br>
Deleting PID file '/opt/mcp/ossec/var/run/ossec-logcollector*.pid' not used...<br>
2009/01/14 13:02:15 ossec-syscheckd(1702): INFO: No directory provided for syscheck \
to monitor.<br> Started ossec-execd...<br>
Started ossec-agentd...<br>
Started ossec-logcollector...<br>
2009/01/14 13:02:15 ossec-syscheckd(1702): INFO: No directory provided for syscheck \
to monitor.<br> 2009/01/14 13:02:15 ossec-syscheckd: WARN: Syscheck disabled.<br>
2009/01/14 13:02:18 ossec-syscheckd(1210): ERROR: Queue \
'/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'.<br> \
2009/01/14 13:02:18 ossec-rootcheck(1210): ERROR: Queue \
'/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'.<br> \
2009/01/14 13:02:26 ossec-syscheckd(1210): ERROR: Queue \
'/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'.<br> \
2009/01/14 13:02:26 ossec-rootcheck(1210): ERROR: Queue \
'/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'.<br> \
2009/01/14 13:02:39 ossec-syscheckd(1210): ERROR: Queue \
'/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'.<br> \
2009/01/14 13:02:39 ossec-rootcheck(1211): ERROR: Unable to access queue: \
'/opt/mcp/ossec/queue/ossec/queue'. Giving up..<br> <br>
Then I removed the /opt/mcp/ossec/queue/ossec/queue:<br>
<br>
I got the following error:<br>
<br>
[root@zngdy183 bin]# rm -f /opt/mcp/ossec/queue/ossec/queue<br>
[root@zngdy183 bin]# ./ossec-control start<br>
Starting OSSEC HIDS v1.6.1 (by Third Brigade, Inc.)...<br>
Deleting PID file '/opt/mcp/ossec/var/run/ossec-logcollector*.pid' not used...<br>
2009/01/14 13:03:29 ossec-syscheckd(1702): INFO: No directory provided for syscheck \
to monitor.<br> Started ossec-execd...<br>
Started ossec-agentd...<br>
Started ossec-logcollector...<br>
2009/01/14 13:03:29 ossec-syscheckd(1702): INFO: No directory provided for syscheck \
to monitor.<br> 2009/01/14 13:03:29 ossec-syscheckd: WARN: Syscheck disabled.<br>
2009/01/14 13:03:35 ossec-syscheckd(1210): ERROR: Queue \
'/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Queue not found'.<br> 2009/01/14 \
13:03:50 ossec-rootcheck(1210): ERROR: Queue '/opt/mcp/ossec/queue/ossec/queue' not \
accessible: 'No such file or directory'.<br> 2009/01/14 13:04:01 \
ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/queue/ossec/queue' not \
accessible: 'Queue not found'.<br> 2009/01/14 13:04:16 ossec-rootcheck(1210): ERROR: \
Queue '/opt/mcp/ossec/queue/ossec/queue' not accessible: 'No such file or \
directory'.<br> 2009/01/14 13:04:32 ossec-syscheckd(1210): ERROR: Queue \
'/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Queue not found'.<br> 2009/01/14 \
13:04:47 ossec-rootcheck(1211): ERROR: Unable to access queue: \
'/opt/mcp/ossec/queue/ossec/queue'. Giving up..<br> <br>
<br>
I have tried to backup the /opt/mcp/ossec/queue/ossec/queue then restore, that did \
not help. Restart the server, then try start the agent did not help either.<br> \
<br> Any help would be greatly appreciated.<br>
<br>
Thanks,<br>
Macie<br>
<br>
<o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Calibri","sans-serif""><o:p> </o:p></span></p>
</div>
<br>
<font face="Arial" color="Gray" size="1">This message contains TMA Resources \
confidential information and is intended only for the individual named. If you are \
not the named addressee you should not disseminate, distribute or copy this e-mail. \
Please notify the sender immediately by e-mail if you have received this e-mail by \
mistake and delete this e-mail from your system. E-mail transmission cannot be \
guaranteed to be secure or error-free as information could be intercepted, corrupted, \
lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore \
does not accept liability for any errors or omissions in the contents of this message \
which arise as a result of e-mail transmission. If verification is required please \
request a hard-copy version.<br> </font>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic