@Dan, This has been resolved when you told put *ignore* statement at server side ossec.conf.
-S On Tue, Apr 26, 2011 at 4:41 PM, dan (ddp) <[email protected]> wrote: > Did you restart the ossec processes on the agents? This has to be done > for a new agent.conf to be used. > > On Tue, Apr 12, 2011 at 11:02 AM, satish patel <[email protected]> wrote: >> I have waited since last 24 Hrs. also i can see agent.conf file at >> client side with ignore directory that mean it should work right ? >> agent.conf propagated successfully. >> >> root@vmg035:~# md5sum /var/ossec/etc/shared/agent.conf >> 87439ad234809a4e7436c444345484af /var/ossec/etc/shared/agent.conf >> >> [root@agent1 ~]# md5sum /var/ossec/etc/shared/agent.conf >> 87439ad234809a4e7436c444345484af /var/ossec/etc/shared/agent.conf >> >> -S >> >> >> >> On Tue, Apr 12, 2011 at 10:31 AM, carlopmart <[email protected]> wrote: >>> On 04/12/2011 04:21 PM, satish patel wrote: >>>> >>>> I wanted to ignore /etc/lvm/backup directroy and i have added it in >>>> agent.conf file and restart all agents but still i have getting >>>> notification :( am i doing wrong ? >>>> >>>> >>>> root@vmg035:~# cat /var/ossec/etc/shared/agent.conf >>>> <agent_config> >>>> <syscheck> >>>> >>>> <!-- Frequency that syscheck is executed - default to every 2 hours >>>> --> >>>> <frequency>7200</frequency> >>>> >>>> <!-- Directories to check (perform all possible verifications) --> >>>> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> >>>> <directories check_all="yes">/bin,/sbin</directories> >>>> >>>> <!-- No scan at start service time --> >>>> <scan_on_start>no</scan_on_start> >>>> >>>> <!-- Disable frequently changes files --> >>>> <auto_ignore>no</auto_ignore> >>>> >>>> <!-- Files/directories to ignore --> >>>> <ignore>/etc/mtab</ignore> >>>> <ignore>/etc/mnttab</ignore> >>>> <ignore>/etc/hosts.deny</ignore> >>>> <ignore>/etc/mail/statistics</ignore> >>>> <ignore>/etc/random-seed</ignore> >>>> <ignore>/etc/adjtime</ignore> >>>> <ignore>/etc/httpd/logs</ignore> >>>> <ignore>/etc/utmpx</ignore> >>>> <ignore>/etc/wtmpx</ignore> >>>> <ignore>/etc/cups/certs</ignore> >>>> <ignore>/etc/dumpdates</ignore> >>>> <ignore>/etc/svc/volatile</ignore> >>>> <ignore>/etc/motd</ignore> >>>> <ignore>/etc/printcap</ignore> >>>> <ignore>/etc/prelink.cache</ignore> >>>> <ignore>/etc/lvm/backup</ignore> >>>> </syscheck> >>>> >>>> ..... >>>> ..... >>>> ..So..on.. >>> >>> Check if md5sum is the same on server and agent for the agent.conf file ... >>> >>> Normally, you need to wait some minutes on the agent side until server push >>> new agent.conf file ... >>> >>> Bye. >>> >>> >>> -- >>> CL Martinez >>> carlopmart {at} gmail {d0t} com >>> >> >
