On Thu, Oct 21, 2010 at 2:08 PM, Michael Starks <[email protected]> wrote: > > On Thu, 21 Oct 2010 17:31:30 +0000, "[email protected]" <[email protected]> > wrote: >> This isn't restart-free, but I setup an active response to restart > agents >> when agent.conf has changed. > > When ddpbsd mentioned this to me in IRC, I set this up for my Windows > agents: > > First, you'll need this in ossec.conf or agent.conf: > > <directories check_all="yes" realtime="yes">C:\program > files/ossec-agent/shared</directories> > > Next, you'll need a rule like this: > > <rule id="100032" level="7"> > <if_group>syscheck</if_group> > <match>C:\program files/ossec-agent/shared/agent.conf</match> > <description>Windows Agent.conf File Changed</description> > <group>agent.conf_changed</group> > </rule> > > Finally, in ossec.conf, set up the active response: > > <command> > <name>restart-win-agent</name> > <executable>restart-ossec.cmd</executable> > <expect></expect> > </command> > > <active-response> > <command>restart-win-agent</command> > <location>local</location> > <rules_group>agent.conf_changed</rules_group> > </active-response> > > At one point, the agent was restarting twice every time a new policy was > pushed out, but I think that was fixed. Hope this helps. > > -- > [I] Immutable Security > Information Security, Privacy and Personal Liberty > http://www.immutablesecurity.com >
I think that pretty much sums it up.
