One of my agents has a basic ossec.conf. It sets the server IP and that's it. It gets all other settings from agent.conf and I haven't noticed any issues (beyond my own typos). I'd recommend using something like that. Then setting up a config for every system (settings that are common across the board). Then setting up individual agent configs for settings that aren't shared by all.
I'll try to expand on this later (with examples) if this didn't make sense, just let me know. :) On Tue, Sep 28, 2010 at 12:55 PM, Jeremy Lee <[email protected]> wrote: > Furthermore, for some reason my agent.conf and ossec.conf just aren't > playing well with one another - I had to move agent.conf completely out of > the directory. I had specified scan_time in agent.conf as well as ossec.conf > so I think there might be issues if you duplicate flags in both confs. It > would be nice if there were an option in to OSSEC to disable or 'overwrite' > the ossec.conf (or move it to another file so that the settings don't get > all blown away) if agent.conf is detected. Or just a more foolproof method > of merging the two files if it's to be the way it is. The problem with the > latter is that there syscheck frequency, by default, is set to "79200" which > means that it will *always* run syschecks at that frequency regardless. And > this value won't go away even if you rolled out syscheck scheduling options > in agent.conf. Unless syscheck just isn't set at all by default (maybe this > could be an option in the OSSEC install script?) > > > > On Tue, Sep 28, 2010 at 9:45 AM, Jeremy Lee <[email protected]> wrote: >> >> Yeah... I'm testing again with v2.5 but it looks like things still don't >> work as I would want them to. >> >> If you remove/comment out the scan_day flag though, do things work? >> Because they do for me but *only* with ossec.conf. I actually tried the same >> combination (with and without scan_day) in agent.conf and nothing worked at >> all. >> >> I think my fallback may have to be using agent_control -r -a in >> conjunction with cron to setup the scheduling to my liking. The -r and -a >> flags will require active response I'm guessing, right? >> >> On Tue, Sep 28, 2010 at 9:30 AM, dan (ddp) <[email protected]> wrote: >>> >>> On Tue, Sep 28, 2010 at 12:22 PM, Jeremy Lee <[email protected]> wrote: >>> > Does active_response need to be enabled for syscheck in agent.conf to >>> > properly work? I'm guessing active_response needs to be on for >>> > agent_control >>> > to properly restart the agents, etc. But it shouldn't have anything to >>> > do >>> > with agent.conf being merged with ossec.conf correct? >>> > >>> >>> No, active_response being disabled shouldn't affect whether syscheck >>> in agent.conf works or not. >>> I'm having trouble getting the scan_time/scan_day to work on my >>> systems (in ossec.conf). I'm not sure if those options are really >>> working at the moment. >> > >
