Yeah... I'm testing again with v2.5 but it looks like things still don't work as I would want them to.
If you remove/comment out the scan_day flag though, do things work? Because they do for me but *only* with ossec.conf. I actually tried the same combination (with and without scan_day) in agent.conf and nothing worked at all. I think my fallback may have to be using agent_control -r -a in conjunction with cron to setup the scheduling to my liking. The -r and -a flags will require active response I'm guessing, right? On Tue, Sep 28, 2010 at 9:30 AM, dan (ddp) <[email protected]> wrote: > On Tue, Sep 28, 2010 at 12:22 PM, Jeremy Lee <[email protected]> wrote: > > Does active_response need to be enabled for syscheck in agent.conf to > > properly work? I'm guessing active_response needs to be on for > agent_control > > to properly restart the agents, etc. But it shouldn't have anything to do > > with agent.conf being merged with ossec.conf correct? > > > > No, active_response being disabled shouldn't affect whether syscheck > in agent.conf works or not. > I'm having trouble getting the scan_time/scan_day to work on my > systems (in ossec.conf). I'm not sure if those options are really > working at the moment. >
