Thanks for the responses. I have verified that agent.conf file with md5sum. It's the same on both the server and the agent and has been for some time. I have restarted the agent and server many times.
-R On Jul 8, 8:47 am, Christopher Moraes <cmoraes....@gmail.com> wrote: > Did you restart the agents after changing the ossec.conf and agent.conf? > Syscheckd reads its configuration once at startup, and then runs in an > infinite loop. If the config changes, you will need to restart the process. > > > > > > > > On Thu, Jul 7, 2011 at 5:03 PM, reg <regoma...@gmail.com> wrote: > > Hello All, > > > Taking some advice on this list, I converted all my agents to a > > minimal ossec.conf(just the server IP). Inside the agent.conf > > file on the server, I have my entire configuration. This is working > > quite nicely now, but I have one nagging issue. I keep getting > > alerts regarding file changes that should be ignored.I have checked > > and double-checked the ignore rules for syntax errors > > in the file name, and still the alerts come in. > > > Example: > > > <agent_config name="myhost1|myhost2"> > > <syscheck> > > <frequency>86400</frequency> > > <directories check_all="yes">/mnt,/nsr,/usr,/bin,/sbin,/lib,/ > > etc,/root,/boot</directories> > > <ignore>/nsr/logs</ignore> > > </syscheck> > > </agent_config> > > > I do not have this issue on new agents. Checksum of agent.conf has > > been verified with agent_control. Manual deletion of > > file entries from /var/ossec/queue/syscheck/(hostname file) and client/ > > server restarts but still the ignored entries get added back to > > the file. > > > -Reggie
