I like to restrict the ossec.conf files on the agents to contain server-ip and not much else. Then do all other configuration through the agent.conf. That keeps these types of problems from coming up.
On Tue, May 17, 2011 at 6:07 PM, reg <[email protected]> wrote: > I am having a bit of a problem with conflicting ossec.conf and > agent.conf entries. > > On the server, I have report_changes enabled, but on the client the > default ossec.conf > file doesn't have this option enabled. The client seems to be winning > the war between > whether I report changes or not. As I'd rather not have to maintain > all the clients configs > separately, is there a way to force agent.conf to win this battle? > > Server: /var/ossec/etc/shared/agent.conf > > <directories check_all="yes" report_changes="yes">/etc</directories> > > Client: /var/ossec/etc/ossec.conf > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > The client will not start the agent if the entire <directories> entry > is deleted. Also, it > will not start w/o <directories>something here</directories>. > > I was able to work around this by including /bin, but this is not > optimal. The central > config will greatly simplify deployment. > > Thoughts? > > -Reggie
