Hello, On Mon, Jul 26, 2010 at 7:14 PM, [email protected] <[email protected]> wrote: > The configurations you mentioned belong in the ossec server's ossec.conf. > I believe all entries that match an agent in the agent.conf will be merged. > After the md5s change you have to manually restart the agent's ossec > processes. > > -----Original Message----- > From: Mark F > Sent: 07/26/2010 3:51:20 AM > Subject: [ossec-list] Central Remote Agent Configuration > > > Hi All, > > I'm wanting to configure my agents centrally and i'm able to do this using > the file in /var/ossec/etc/shared/agent.conf > > The thing i'm not entirely sure on is where settings such as > (<auto_ignore>no</auto_ignore>,<alert_new_files>yes</alert_new_files>) do > they i beleive go onto the central server in ossec.conf under the <syscheck> > tag's of course, Or does it need to be added to agent.conf? >
The 'auto_ignore' and the 'alert_new_file' are manager side options and shouldn't be set in the agent.conf file. The 'ignore' option once spécified in the server become global to all agents. > Also within the agent.conf file i'm not sure if the configurations get merged > together? IE if i have an agent.conf of:- > <agent_config> > <syscheck> > <auto_ignore>no</auto_ignore> > <alert_new_files>yes</alert_new_files> > <frequency>21600</frequency> > <directories check_all="yes">/</directories> > </syscheck> > </agent_config> > > <agent_config name="001"> > <localfile> > <location>/var/log/apache2/error_log</location> > <log_format>apache</log_format> > </localfile> > </agent_config> > > <agent_config name="002"> > <localfile> > <log_format>apache</log_format> > <location>/usr/local/apache2/logs/*</location> > </localfile> > </agent_config> > > Will all agents have the "<directories check_all="yes">/</directories>" set > on them and only agent 001 checking "/var/log/apache2/error_log" and only > agent 002 checking "<location>/usr/local/apache2/logs/*</location>"? yes > > Either i've not read the documentation correctly or it doesn't actually state > what will happen in this instance? > And after the md5sum on the agent has been updated do I need to then manually > restart the agent as well or is that not the case and that as soon as the the > new md5sum is attached to the agent then its using the new configuration? > You must restart the agent (localy or remotely) to get the changes applied > Cheers all, > M > > _________________________________________________________________ > http://clk.atdmt.com/UKM/go/195013117/direct/01/ > We want to hear all your funny, exciting and crazy Hotmail stories. Tell us > now >
