I'm starting to understand the agent/server set up a bit better now.
A few more questions if anybody could help.
1/ What should I be doing exactly after I've modified the agent.conf
file to get the changes pushed to all agents???
In my testing, I've had to restart the server, then restart the agent
and then run agent_control -R on the server to get the agent's Client
version to update. Is this the correct procedure?
But what if I was pushing the changes to 100 agents - surely I don't
want to be restarting OSSEC on all agents manually. Will the server
push the changes to all agents in due course (that is if I don't need
the changes applied immediately)???
2/ Another problem I'm having is with the global whitelist configured
inside the agent.conf file on the server. The whitelist gets pushed to
the agents but the IP's in the whitelist are not being whitelisted. To
fix this I've had to add the IP's to the server's ossec.conf file
under the <whitelist> section and restart both server and agent. It
seems the server's <whitelist> entry is taking precedent over the
agent.conf's <whitelist> entry. Is there a way to fix this???
Server's agent.conf:
r...@ossec:/usr/local/ossec/etc/shared# cat agent.conf
<agent_config>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>203.17.98.x</white_list>
</global>
</agent_config>
Agent's agent.conf:
[r...@plesk1 shared]# cat agent.conf
<agent_config>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>203.17.98.x</white_list>
</global>
</agent_config>
Thanks.
Andy
