Does active_response need to be enabled for syscheck in agent.conf to properly work? I'm guessing active_response needs to be on for agent_control to properly restart the agents, etc. But it shouldn't have anything to do with agent.conf being merged with ossec.conf correct?
On Tue, Sep 28, 2010 at 6:07 AM, Jeremy Lee <[email protected]> wrote: > Is this in response to syscheck scheduling on agent.conf (and ossec.conf)? > > If so, can you please clarify a little more with details of what is in your > agent.conf and ossec.conf? > > Thank you, > Jeremy > > > On Mon, Sep 27, 2010 at 9:01 PM, PhilS <[email protected]> wrote: > >> I just set this up in my environment with DHCP clients. I added the >> machines using this... >> >> If the machine IP addresses are something like 192.168.xxx.xxx with a >> subnet mask of 255.255.255.0 then you can use 192.168.0.0/16 for the >> IP address when adding them using manage agents. >> >> Otherwise you can do the same ipaddress/mask with any scenario. It >> worked flawlessly in my environment of 300 users all in a number of >> different subnets. >> >> On Sep 23, 4:58 pm, "dan (ddp)" <[email protected]> wrote: >> > No other ideas at the moment. I'll try setting it up to see what >> happens.On Thu, Sep 23, 2010 at 2:55 PM, Jeremy Lee <[email protected]> >> wrote: >> > > I tried changing the time and ensured that the time is correct on both >> > > servers. However, it's still not getting kicked off for some reason. I >> don't >> > > see anything in the ossec.log even with full debugging on. I know >> there's a >> > > slight delay before syscheck kicks off, but it shouldn't be more than >> 5 >> > > minutes. And I've tried updating agent.conf with the <scan_time> to be >> far >> > > in advance. It's just not working for some reason. Any other ideas? >> > >
