Hi All,
I'm wanting to configure my agents centrally and i'm able to do this using the
file in /var/ossec/etc/shared/agent.conf
The thing i'm not entirely sure on is where settings such as
(<auto_ignore>no</auto_ignore>,<alert_new_files>yes</alert_new_files>) do they
i beleive go onto the central server in ossec.conf under the <syscheck> tag's
of course, Or does it need to be added to agent.conf?
Also within the agent.conf file i'm not sure if the configurations get merged
together? IE if i have an agent.conf of:-
<agent_config>
<syscheck>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<frequency>21600</frequency>
<directories check_all="yes">/</directories>
</syscheck>
</agent_config>
<agent_config name="001">
<localfile>
<location>/var/log/apache2/error_log</location>
<log_format>apache</log_format>
</localfile>
</agent_config>
<agent_config name="002">
<localfile>
<log_format>apache</log_format>
<location>/usr/local/apache2/logs/*</location>
</localfile>
</agent_config>
Will all agents have the "<directories check_all="yes">/</directories>" set on
them and only agent 001 checking "/var/log/apache2/error_log" and only agent
002 checking "<location>/usr/local/apache2/logs/*</location>"?
Either i've not read the documentation correctly or it doesn't actually state
what will happen in this instance?
And after the md5sum on the agent has been updated do I need to then manually
restart the agent as well or is that not the case and that as soon as the the
new md5sum is attached to the agent then its using the new configuration?
Cheers all,
M
_________________________________________________________________
http://clk.atdmt.com/UKM/go/195013117/direct/01/
We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
