The second of my two cents, concerns the ability to restart all agents from the central server. A Basic functionality, but I understand the risk, that goes with it.
It is a simple request, but not from an architectural or security view. However, since we do propose a centralised config-managment, and changes in the config do require a restart of the agent, why do we have to visit all the clients separately? I also fell on this problem because I was trying to find a way to reconnect all the client to their original, default OSSECServer, after a failover scenario. Something like: when the failed server resurrects, it can give a signal to last connected agents to restart... I really like OSSEC, and I am trying really hard to defend it...
