Yes, active response needs to be enabled to utilize certain options in agent_control.
On Thu, Sep 30, 2010 at 12:39 PM, Jeremy Lee <[email protected]> wrote: > I've found that restarting OSSEC server and also restarting the OSSEC agents > (not through agent_control but locally) results in agent.conf getting pushed > out fastest. Side question on that: with restarting through agent_control, > you need to enable active response right? > > On Thu, Sep 30, 2010 at 9:35 AM, dan (ddp) <[email protected]> wrote: >> >> On Thu, Sep 30, 2010 at 12:31 PM, Chris Decker <[email protected]> >> wrote: >> > All, >> > >> > Is there an easy way to force the OSSEC server to immediately push out >> > the >> > latest copy of the <snip>/etc/shared/agent.conf? Even after restarting >> > the >> > OSSEC server and forcing a restart using agent_control it seems to take >> > forever. >> > >> >> Nope, it is what it is. If you need it pushed out faster, consider >> rolling it into a configurtion management setup. >> >> > Also, is there a good way to troubleshoot when the agent.conf doesn't >> > arrive >> > on the agents after a long period of time? For example, if the >> > permissions >> > on the agent.conf file prevent OSSEC from reading the file, is that >> > written >> > somewhere? I'm having an issue where 1 of my 4 agents never receives >> > the >> > agent.conf, even though it can communicate with the OSSEC server, and >> > can't >> > find a good way to troubleshoot. >> > >> > >> >> Make sure everything is running the same version (preferably a recent >> one). Check permissions on both the working and non-working systems. >> Try running various daemons in debug mode (-d flag). Make sure there >> aren't junk directories in the ossec/etc/shared directory. >> >> > >> > >> > Thanks, >> > Chris > >
