I think there's something up with the <scan_day> flag - I was unable to get agent_control to kick off a syscheck until I removed the flag. What is strange is that it all seemed to be working fine before I started messing with importing the agent.conf over. I wonder if something got fudged. Is there a 'common' or merged file OSSEC reads when ossec.conf and agent.conf exist?
On Wed, Sep 22, 2010 at 9:53 AM, Jeremy Lee <[email protected]> wrote: > One other question, if I have <frequency>79200</frequency> in my > ossec.conf, will that conflict with the <scan_time> and <scan_day> in the > agent.conf? > > > On Tue, Sep 21, 2010 at 9:44 PM, jplee3 <[email protected]> wrote: > >> Hey guys, >> >> I've been testing out deploying the agent.conf to machines and am >> having trouble with the syscheck scheduling. My agent.conf looks like >> this: >> >> >> <agent_config> >> <syscheck> >> <scan_on_start>no</scan_on_start> >> <scan_time>17:00</scan_time> >> <scan_day>Tuesday</scan_day> >> >> <directories check_all="yes">/home/app</directories> >> >> </syscheck> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/home/log1</location> >> </localfile> >> >> >> <localfile> >> <log_format>syslog</log_format> >> <location>/home/log2</location> >> </localfile> >> >> >> </agent_config> >> >> >> I have verified that the dates are correct on the two agent machines >> and the server machine. Syscheck did not kick off at 17:00 today as >> verified in the ossec.log and through agent_control -i 001 and 002. >> Are there issues with agent.conf properly recognizing the "scan_*" >> flags? These obviously work fine in ossec.conf - am I missing >> something? >> >> >> >> >
