Furthermore, for some reason my agent.conf and ossec.conf just aren't playing well with one another - I had to move agent.conf completely out of the directory. I had specified scan_time in agent.conf as well as ossec.conf so I think there might be issues if you duplicate flags in both confs. It would be nice if there were an option in to OSSEC to disable or 'overwrite' the ossec.conf (or move it to another file so that the settings don't get all blown away) if agent.conf is detected. Or just a more foolproof method of merging the two files if it's to be the way it is. The problem with the latter is that there syscheck frequency, by default, is set to "79200" which means that it will *always* run syschecks at that frequency regardless. And this value won't go away even if you rolled out syscheck scheduling options in agent.conf. Unless syscheck just isn't set at all by default (maybe this could be an option in the OSSEC install script?)
On Tue, Sep 28, 2010 at 9:45 AM, Jeremy Lee <[email protected]> wrote: > Yeah... I'm testing again with v2.5 but it looks like things still don't > work as I would want them to. > > If you remove/comment out the scan_day flag though, do things work? Because > they do for me but *only* with ossec.conf. I actually tried the same > combination (with and without scan_day) in agent.conf and nothing worked at > all. > > I think my fallback may have to be using agent_control -r -a in conjunction > with cron to setup the scheduling to my liking. The -r and -a flags will > require active response I'm guessing, right? > > > On Tue, Sep 28, 2010 at 9:30 AM, dan (ddp) <[email protected]> wrote: > >> On Tue, Sep 28, 2010 at 12:22 PM, Jeremy Lee <[email protected]> wrote: >> > Does active_response need to be enabled for syscheck in agent.conf to >> > properly work? I'm guessing active_response needs to be on for >> agent_control >> > to properly restart the agents, etc. But it shouldn't have anything to >> do >> > with agent.conf being merged with ossec.conf correct? >> > >> >> No, active_response being disabled shouldn't affect whether syscheck >> in agent.conf works or not. >> I'm having trouble getting the scan_time/scan_day to work on my >> systems (in ossec.conf). I'm not sure if those options are really >> working at the moment. >> > >
