That makes sense. I guess what I'd really want to see the option to push/update just a single 'config' file (ossec.conf) to all clients :)
On Tue, Sep 28, 2010 at 10:26 AM, dan (ddp) <[email protected]> wrote: > One of my agents has a basic ossec.conf. It sets the server IP and > that's it. It gets all other settings from agent.conf and I haven't > noticed any issues (beyond my own typos). > I'd recommend using something like that. Then setting up a config for > every system (settings that are common across the board). Then setting > up individual agent configs for settings that aren't shared by all. > > I'll try to expand on this later (with examples) if this didn't make > sense, just let me know. :) > > On Tue, Sep 28, 2010 at 12:55 PM, Jeremy Lee <[email protected]> wrote: > > Furthermore, for some reason my agent.conf and ossec.conf just aren't > > playing well with one another - I had to move agent.conf completely out > of > > the directory. I had specified scan_time in agent.conf as well as > ossec.conf > > so I think there might be issues if you duplicate flags in both confs. It > > would be nice if there were an option in to OSSEC to disable or > 'overwrite' > > the ossec.conf (or move it to another file so that the settings don't get > > all blown away) if agent.conf is detected. Or just a more foolproof > method > > of merging the two files if it's to be the way it is. The problem with > the > > latter is that there syscheck frequency, by default, is set to "79200" > which > > means that it will *always* run syschecks at that frequency regardless. > And > > this value won't go away even if you rolled out syscheck scheduling > options > > in agent.conf. Unless syscheck just isn't set at all by default (maybe > this > > could be an option in the OSSEC install script?) > > > > > > > > On Tue, Sep 28, 2010 at 9:45 AM, Jeremy Lee <[email protected]> wrote: > >> > >> Yeah... I'm testing again with v2.5 but it looks like things still don't > >> work as I would want them to. > >> > >> If you remove/comment out the scan_day flag though, do things work? > >> Because they do for me but *only* with ossec.conf. I actually tried the > same > >> combination (with and without scan_day) in agent.conf and nothing worked > at > >> all. > >> > >> I think my fallback may have to be using agent_control -r -a in > >> conjunction with cron to setup the scheduling to my liking. The -r and > -a > >> flags will require active response I'm guessing, right? > >> > >> On Tue, Sep 28, 2010 at 9:30 AM, dan (ddp) <[email protected]> wrote: > >>> > >>> On Tue, Sep 28, 2010 at 12:22 PM, Jeremy Lee <[email protected]> wrote: > >>> > Does active_response need to be enabled for syscheck in agent.conf to > >>> > properly work? I'm guessing active_response needs to be on for > >>> > agent_control > >>> > to properly restart the agents, etc. But it shouldn't have anything > to > >>> > do > >>> > with agent.conf being merged with ossec.conf correct? > >>> > > >>> > >>> No, active_response being disabled shouldn't affect whether syscheck > >>> in agent.conf works or not. > >>> I'm having trouble getting the scan_time/scan_day to work on my > >>> systems (in ossec.conf). I'm not sure if those options are really > >>> working at the moment. > >> > > > > >
