Try to put active response section on ossec.conf on the agent side and
restart agent.
On 03/03/2011 08:25 PM, satish patel wrote:
Yes, I reload agent 10 time. But still AR is there. md5sum and
everything is correct. What other way to disable AR?
root@vmg035:/var/ossec/etc/shared# md5sum /var/ossec/etc/shared/agent.conf
f4c01366249fcc231d8015e616f76aee /var/ossec/etc/shared/agent.conf
root@vmg035:/var/ossec/etc/shared# /var/ossec/bin/agent_control -i 002
OSSEC HIDS agent_control. Agent information:
Agent ID: 002
Agent Name: devserver1
IP address: 172.24.10.51
Status: Active
Operating system: Linux devserver1.west.com 2.6.9-89.0.25.ELsmp #1 S..
Client version: OSSEC HIDS v2.5.1 / f4c01366249fcc231d8015e616f76aee
Last keep alive: Thu Mar 3 11:21:51 2011
Syscheck last started at: Thu Mar 3 09:41:15 2011
Rootcheck last started at: Thu Mar 3 09:55:00 2011
On Thu, Mar 3, 2011 at 1:25 PM, carlopmart<[email protected]> wrote:
On 03/03/2011 07:05 PM, satish patel wrote:
Thanks bro,
That has been fix. Now i want to disable AR on specific agent and i
add following code in agent.conf but it doesn't working... still AR is
active on that node
<agent_config name="devserver1">
<active-response>
<disabled>yes</disabled>
</active-response>
</agent_config>
Agent has reloaded agent.conf file?? try with this command:
/opt/ossec/bin/agent_control -i 001
OSSEC HIDS agent_control. Agent information:
Agent ID: 001
Agent Name: rhelauthsrv
IP address: 172.25.50.10
Status: Active
Operating system: Linux rhelsrv01.hpulabs.org 2.6.32-71.14.1.el6.x86_64
..
Client version: OSSEC HIDS v2.5.1 / 689ae94cd232e6b5c503e6148a08b49b
Last keep alive: Thu Mar 3 19:23:09 2011
Syscheck last started at: Thu Mar 3 18:14:44 2011
Rootcheck last started at: Thu Mar 3 18:19:19 2011
md5sum needs to be the same on agent and server. And try to restart ossec
services on the agent side if needed ...
--
CL Martinez
carlopmart {at} gmail {d0t} com
--
CL Martinez
carlopmart {at} gmail {d0t} com
