The agent.conf will be pushed out automatically, but it could take some time. Restarting the ossec server usually speeds that process up. After the file has been pushed to the agents, you will have to restart them. Agent_control -R is the easiest way.
Sent from my Nokia phone -----Original Message----- From: [email protected] Sent: 04/30/2010 3:19:20 AM Subject: [ossec-list] Re: Questions about Server/Agent Setup I'm starting to understand the agent/server set up a bit better now. A few more questions if anybody could help. 1/ What should I be doing exactly after I've modified the agent.conf file to get the changes pushed to all agents??? In my testing, I've had to restart the server, then restart the agent and then run agent_control -R on the server to get the agent's Client version to update. Is this the correct procedure? But what if I was pushing the changes to 100 agents - surely I don't want to be restarting OSSEC on all agents manually. Will the server push the changes to all agents in due course (that is if I don't need the changes applied immediately)??? 2/ Another problem I'm having is with the global whitelist configured inside the agent.conf file on the server. The whitelist gets pushed to the agents but the IP's in the whitelist are not being whitelisted. To fix this I've had to add the IP's to the server's ossec.conf file under the <whitelist> section and restart both server and agent. It seems the server's <whitelist> entry is taking precedent over the agent.conf's <whitelist> entry. Is there a way to fix this??? Server's agent.conf: r...@ossec:/usr/local/ossec/etc/shared# cat agent.conf <agent_config> <global> <white_list>127.0.0.1</white_list> <white_list>^localhost.localdomain$</white_list> <white_list>203.17.98.x</white_list> </global> </agent_config> Agent's agent.conf: [r...@plesk1 shared]# cat agent.conf <agent_config> <global> <white_list>127.0.0.1</white_list> <white_list>^localhost.localdomain$</white_list> <white_list>203.17.98.x</white_list> </global> </agent_config> Thanks. Andy
