I am having a bit of a problem with conflicting ossec.conf and agent.conf entries.
On the server, I have report_changes enabled, but on the client the default ossec.conf file doesn't have this option enabled. The client seems to be winning the war between whether I report changes or not. As I'd rather not have to maintain all the clients configs separately, is there a way to force agent.conf to win this battle? Server: /var/ossec/etc/shared/agent.conf <directories check_all="yes" report_changes="yes">/etc</directories> Client: /var/ossec/etc/ossec.conf <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> The client will not start the agent if the entire <directories> entry is deleted. Also, it will not start w/o <directories>something here</directories>. I was able to work around this by including /bin, but this is not optimal. The central config will greatly simplify deployment. Thoughts? -Reggie
