That is working!! I need everything in agent.conf not ossec.conf It would be painful to manager more than 50 hosts by editing each ossec.conf file.. at auditing time we need AR disable and after auditing we need that option enable. I meant we are running few scanner and bunch of security vulnerability tools.
Just wanted to know its possible to disable AR via agent.conf or not ? -Satish On Thu, Mar 3, 2011 at 2:30 PM, carlopmart <[email protected]> wrote: > Try to put active response section on ossec.conf on the agent side and > restart agent. > > > On 03/03/2011 08:25 PM, satish patel wrote: >> >> Yes, I reload agent 10 time. But still AR is there. md5sum and >> everything is correct. What other way to disable AR? >> >> >> root@vmg035:/var/ossec/etc/shared# md5sum /var/ossec/etc/shared/agent.conf >> f4c01366249fcc231d8015e616f76aee /var/ossec/etc/shared/agent.conf >> >> >> root@vmg035:/var/ossec/etc/shared# /var/ossec/bin/agent_control -i 002 >> >> OSSEC HIDS agent_control. Agent information: >> Agent ID: 002 >> Agent Name: devserver1 >> IP address: 172.24.10.51 >> Status: Active >> >> Operating system: Linux devserver1.west.com 2.6.9-89.0.25.ELsmp #1 >> S.. >> Client version: OSSEC HIDS v2.5.1 / >> f4c01366249fcc231d8015e616f76aee >> Last keep alive: Thu Mar 3 11:21:51 2011 >> >> Syscheck last started at: Thu Mar 3 09:41:15 2011 >> Rootcheck last started at: Thu Mar 3 09:55:00 2011 >> >> >> >> >> On Thu, Mar 3, 2011 at 1:25 PM, carlopmart<[email protected]> wrote: >>> >>> On 03/03/2011 07:05 PM, satish patel wrote: >>>> >>>> Thanks bro, >>>> >>>> That has been fix. Now i want to disable AR on specific agent and i >>>> add following code in agent.conf but it doesn't working... still AR is >>>> active on that node >>>> >>>> <agent_config name="devserver1"> >>>> <active-response> >>>> <disabled>yes</disabled> >>>> </active-response> >>>> </agent_config> >>>> >>>> >>>> >>>> >>> >>> Agent has reloaded agent.conf file?? try with this command: >>> >>> /opt/ossec/bin/agent_control -i 001 >>> >>> OSSEC HIDS agent_control. Agent information: >>> Agent ID: 001 >>> Agent Name: rhelauthsrv >>> IP address: 172.25.50.10 >>> Status: Active >>> >>> Operating system: Linux rhelsrv01.hpulabs.org >>> 2.6.32-71.14.1.el6.x86_64 >>> .. >>> Client version: OSSEC HIDS v2.5.1 / >>> 689ae94cd232e6b5c503e6148a08b49b >>> Last keep alive: Thu Mar 3 19:23:09 2011 >>> >>> Syscheck last started at: Thu Mar 3 18:14:44 2011 >>> Rootcheck last started at: Thu Mar 3 18:19:19 2011 >>> >>> >>> md5sum needs to be the same on agent and server. And try to restart ossec >>> services on the agent side if needed ... >>> >>> -- >>> CL Martinez >>> carlopmart {at} gmail {d0t} com >>> > > > -- > CL Martinez > carlopmart {at} gmail {d0t} com >
