On Tue, Jul 27, 2010 at 6:07 AM, Mark F <[email protected]> wrote:
> Thanks for the reply.
>
> Great info thank you, I see somewhere else someone wasn't able to work out
> if the agents did need restarting after updating the agent.conf file this is
> a little disappointing but i guess it makes some sense in some cases and not
> so much in others. Also that someone else had written about and understood
> that the merging of the parameters are all picked up rather than parameters
> just specified within a specific "agent_config name="001"" which is also
> good.
>
> Question i have is that why have I not received anything from the syscheck
> on the box since changing it to "<directories
> check_all="yes">/</directories>", it seems it doesn't want to run
> automatically as its supposed to. Its also not alerted on any newly
> generated file's and I can't tell if its monitoring my web server log files
> that i've stated with a " <location>/usr/local/apache2/logs/*</location>"
> even though i know there's constantly errors going into them at the
> moment...
>
You can check the agent's ossec.log file to see if syscheck is running
and which log files are being monitored.
For alerting on new files, have you added a rule to do this? Something
like the following is necessary:
<rule id="554" level="7" overwrite="yes">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,</group>
</rule>
> I also tried to run from the central server a agent_control -r -u 002 or
> something like that which should force the check to run on the specific
> agent but nothing appeared to happen. I see someone else has previously
> commented about that on the mailing list somewhere. I can't remember if the
> comment was a recent one however.
>
> Cheers,
> M
>
I'm pretty sure the -R option requires active response to be enabled,
maybe this does too. It can also take a while to initiate, the action
isn't immediate.
