On Monday 12 July 2010 18:56:27 Jason 'XenoPhage' Frisvold wrote: > Hi all, > > I have some questions about central agent configs. I've read over the > available documentation and I'm a little confused. I'm also new to OSSEC, > so be gentle... > > First, is agent.conf the only central file available? ie, all agents > are > configured in the same file? How are ambiguous configurations resolved? > For instance, if I create a config that covers Server A, which is a Linux > machine, and I also have a config for all Linux machines, which config > wins? Is it first match, fall through, or does it read through the entire > file and the last options win?
I have run into a couple of problems with this. I want to pick up logs from all Linux machines except our log servers. I was unable to prevent the logs from being monitored on the log servers using agent.conf. So I had to add the logs to ossec.conf for all machines except the log servers. In a more interesting problem, I have two machines which are under very heavy disk load during the day and I wanted to run syscheck at night for those, but run it every few hours for all others. I added the r...@2am option to ossec.conf on the loaded servers and continued to push the "every few hours" option via agent.conf. Happily, the ossec.conf trumped the agent.conf and it works as it should. In hindsight,it could be that the r...@2 option trumps the run every X secs option. Or that ossec.conf is simply read later and the last one wins. At any rate, the centralized agent config system could be improved and I hope that it will be in time. Craig > After the file is pushed by the server to the agent, must the agent be > reloaded, or will the agent eventually refresh the config itself? I know > the agents can be remotely restarted, but this may prove troublesome if a > central management system is used to push out config changes.. > --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - Niven's Inverse of Clarke's Third Law
