I just checked, and it looks like the agent.conf configurations are cumulative.
My setup had a section for SERVER and an OS section that matched SERVER's OS. Both sections were enabled on SERVER when I restarted the ossec processes. On Mon, Jul 12, 2010 at 9:56 PM, Jason 'XenoPhage' Frisvold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > I have some questions about central agent configs. I've read over the > available documentation and I'm a little confused. I'm also new to OSSEC, so > be gentle... > > First, is agent.conf the only central file available? ie, all agents > are configured in the same file? How are ambiguous configurations resolved? > For instance, if I create a config that covers Server A, which is a Linux > machine, and I also have a config for all Linux machines, which config wins? > Is it first match, fall through, or does it read through the entire file and > the last options win? > > After the file is pushed by the server to the agent, must the agent be > reloaded, or will the agent eventually refresh the config itself? I know the > agents can be remotely restarted, but this may prove troublesome if a central > management system is used to push out config changes.. > > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > > iEYEARECAAYFAkw7x80ACgkQ8CjzPZyTUTTeZwCcC9EGiJbSTlYhTJ2kV+yhPr2u > /yUAn23RCAkKSq3dghGpUHJxNR+ei6EJ > =XF2Z > -----END PGP SIGNATURE----- >
