Hi George, However, is the configuration applied > immediately or it requires a manual restart of the Ossec HIDS service > on the Windows machines?
Based on the 2.5.1 documentation, the agents must be restarted for the changes to take effect. ( http://www.ossec.net/main/manual/centralized-config) However when I read the source code, it seems that all the daemons (syscheck, logcollector, etc.) check to see if the config file is updated whenever they run. So for e.g., on the next scheduled run of syscheck, it should see that the agent.conf has been updated and read the new config. > i tried the agent_control -R <id> option but > it doesn't seem to restart the agent? > This command message gets pushed to the agent, when the agent next connects to the ossec manager. It may take sometime, depending on your setup. Perhaps try waiting a few minutes to see whether the agent is restarted. Syscheck is configured to run every 72000 seconds. However, if there > are changes in agent.conf, does Ossec only look at the options within > <syscheck></syscheck> or the entire .conf file? > The ossec agent consists of multiple processes running. Each process reads its part of the config file. The syscheck daemon will read the <syscheck></syscheck> portion of the agent.conf, while the logcollector daemon will read the <localfile></localfile> portion of the config. Reason I am asking, during some testing, we replaced agent.conf with > Unix only configurations. So by right, Windows hosts have nothing to > monitor and no applicable configurations. However, I still see many > Windows machines sending alerts to alerts.log which I believe come > from the following entries in agent.conf: > > I will have to read the source code to confirm, but I am guessing that the behaviour of syscheck and logcollector are slightly different. Since syscheck runs at periodic intervals, it can reload a new configuration if it finds it. However logcollector reads the config at startup and then starts monitoring the files continuously, in an infinite loop. It does not stop to re-read a new configuration. Probably this is the reason you are still seeing the logcollector process, monitoring files specified in the old agent.conf. >
