On Thu, 21 Oct 2010 17:31:30 +0000, "[email protected]" <[email protected]>
wrote:
> This isn't restart-free, but I setup an active response to restart
agents
> when agent.conf has changed.
When ddpbsd mentioned this to me in IRC, I set this up for my Windows
agents:
First, you'll need this in ossec.conf or agent.conf:
<directories check_all="yes" realtime="yes">C:\program
files/ossec-agent/shared</directories>
Next, you'll need a rule like this:
<rule id="100032" level="7">
<if_group>syscheck</if_group>
<match>C:\program files/ossec-agent/shared/agent.conf</match>
<description>Windows Agent.conf File Changed</description>
<group>agent.conf_changed</group>
</rule>
Finally, in ossec.conf, set up the active response:
<command>
<name>restart-win-agent</name>
<executable>restart-ossec.cmd</executable>
<expect></expect>
</command>
<active-response>
<command>restart-win-agent</command>
<location>local</location>
<rules_group>agent.conf_changed</rules_group>
</active-response>
At one point, the agent was restarting twice every time a new policy was
pushed out, but I think that was fixed. Hope this helps.
--
[I] Immutable Security
Information Security, Privacy and Personal Liberty
http://www.immutablesecurity.com
