Yes, I reload agent 10 time. But still AR is there. md5sum and everything is correct. What other way to disable AR?
root@vmg035:/var/ossec/etc/shared# md5sum /var/ossec/etc/shared/agent.conf f4c01366249fcc231d8015e616f76aee /var/ossec/etc/shared/agent.conf root@vmg035:/var/ossec/etc/shared# /var/ossec/bin/agent_control -i 002 OSSEC HIDS agent_control. Agent information: Agent ID: 002 Agent Name: devserver1 IP address: 172.24.10.51 Status: Active Operating system: Linux devserver1.west.com 2.6.9-89.0.25.ELsmp #1 S.. Client version: OSSEC HIDS v2.5.1 / f4c01366249fcc231d8015e616f76aee Last keep alive: Thu Mar 3 11:21:51 2011 Syscheck last started at: Thu Mar 3 09:41:15 2011 Rootcheck last started at: Thu Mar 3 09:55:00 2011 On Thu, Mar 3, 2011 at 1:25 PM, carlopmart <[email protected]> wrote: > On 03/03/2011 07:05 PM, satish patel wrote: >> >> Thanks bro, >> >> That has been fix. Now i want to disable AR on specific agent and i >> add following code in agent.conf but it doesn't working... still AR is >> active on that node >> >> <agent_config name="devserver1"> >> <active-response> >> <disabled>yes</disabled> >> </active-response> >> </agent_config> >> >> >> >> > > Agent has reloaded agent.conf file?? try with this command: > > /opt/ossec/bin/agent_control -i 001 > > OSSEC HIDS agent_control. Agent information: > Agent ID: 001 > Agent Name: rhelauthsrv > IP address: 172.25.50.10 > Status: Active > > Operating system: Linux rhelsrv01.hpulabs.org 2.6.32-71.14.1.el6.x86_64 > .. > Client version: OSSEC HIDS v2.5.1 / 689ae94cd232e6b5c503e6148a08b49b > Last keep alive: Thu Mar 3 19:23:09 2011 > > Syscheck last started at: Thu Mar 3 18:14:44 2011 > Rootcheck last started at: Thu Mar 3 18:19:19 2011 > > > md5sum needs to be the same on agent and server. And try to restart ossec > services on the agent side if needed ... > > -- > CL Martinez > carlopmart {at} gmail {d0t} com >
