Thanks for the reply. Great info thank you, I see somewhere else someone wasn't able to work out if the agents did need restarting after updating the agent.conf file this is a little disappointing but i guess it makes some sense in some cases and not so much in others. Also that someone else had written about and understood that the merging of the parameters are all picked up rather than parameters just specified within a specific "agent_config name="001"" which is also good.
Question i have is that why have I not received anything from the syscheck on the box since changing it to "<directories check_all="yes">/</directories>", it seems it doesn't want to run automatically as its supposed to. Its also not alerted on any newly generated file's and I can't tell if its monitoring my web server log files that i've stated with a " <location>/usr/local/apache2/logs/*</location>" even though i know there's constantly errors going into them at the moment... I also tried to run from the central server a agent_control -r -u 002 or something like that which should force the check to run on the specific agent but nothing appeared to happen. I see someone else has previously commented about that on the mailing list somewhere. I can't remember if the comment was a recent one however. Cheers, M With the set-up I have in that configuration file is it possible to > Date: Mon, 26 Jul 2010 17:14:01 +0000 > From: [email protected] > Subject: RE: [ossec-list] Central Remote Agent Configuration > To: [email protected] > > The configurations you mentioned belong in the ossec server's ossec.conf. > I believe all entries that match an agent in the agent.conf will be merged. > After the md5s change you have to manually restart the agent's ossec > processes. > > -----Original Message----- > From: Mark F > Sent: 07/26/2010 3:51:20 AM > Subject: [ossec-list] Central Remote Agent Configuration > > > Hi All, > > I'm wanting to configure my agents centrally and i'm able to do this using > the file in /var/ossec/etc/shared/agent.conf > > The thing i'm not entirely sure on is where settings such as > (<auto_ignore>no</auto_ignore>,<alert_new_files>yes</alert_new_files>) do > they i beleive go onto the central server in ossec.conf under the <syscheck> > tag's of course, Or does it need to be added to agent.conf? > > Also within the agent.conf file i'm not sure if the configurations get merged > together? IE if i have an agent.conf of:- > <agent_config> > <syscheck> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > <frequency>21600</frequency> > <directories check_all="yes">/</directories> > </syscheck> > </agent_config> > > <agent_config name="001"> > <localfile> > <location>/var/log/apache2/error_log</location> > <log_format>apache</log_format> > </localfile> > </agent_config> > > <agent_config name="002"> > <localfile> > <log_format>apache</log_format> > <location>/usr/local/apache2/logs/*</location> > </localfile> > </agent_config> > > Will all agents have the "<directories check_all="yes">/</directories>" set > on them and only agent 001 checking "/var/log/apache2/error_log" and only > agent 002 checking "<location>/usr/local/apache2/logs/*</location>"? > > Either i've not read the documentation correctly or it doesn't actually state > what will happen in this instance? > And after the md5sum on the agent has been updated do I need to then manually > restart the agent as well or is that not the case and that as soon as the the > new md5sum is attached to the agent then its using the new configuration? > > Cheers all, > M > > _________________________________________________________________ > http://clk.atdmt.com/UKM/go/195013117/direct/01/ > We want to hear all your funny, exciting and crazy Hotmail stories. Tell us > now _________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ Do you have a story that started on Hotmail? Tell us now
