Hey all, What would cause agent.conf and ar.conf to *not* get copied to a Windows box (agent) that is Active (connected) on an OSSEC server?
I've made sure that Active Response is set to <disabled>no</disabled> in the Windows ossec.conf. In fact, if I attempt to restart via agent_control, it produces this message in the ossec.log on the Windows box: 2011/07/21 12:53:01 ossec-execd(1311): ERROR: Invalid command name 'restart-ossec0' provided. 2011/07/21 12:53:02 ossec-agent(1103): ERROR: Unable to open file 'shared/ar.conf'. 2011/07/21 12:53:02 ossec-execd(1311): ERROR: Invalid command name 'restart-ossec0' provided. 2011/07/21 12:53:02 ossec-agent(1103): ERROR: Unable to open file 'shared/ar.conf'. 2011/07/21 12:53:02 ossec-execd(1311): ERROR: Invalid command name 'restart-ossec0' provided. 2011/07/21 12:53:03 ossec-agent(1103): ERROR: Unable to open file 'shared/ar.conf'. 2011/07/21 12:53:03 ossec-execd(1311): ERROR: Invalid command name 'restart-ossec0' provided. So it looks like it's communicating fine. It's just that the agent and ar conf files don't get copied over for some reason. I don't have this problem anywhere else. I'm wondering if it's a Windows permission issue (can't copy the files into the shared dir for some reason). This is a Win2k3 box btw. I've installed the newest 2.6 OSSEC agent and it's talking to a 2.5.1 OSSEC server. As I alluded to already, this is the only box I'm having issues with. I actually installed the 2.6 agent on another Windows 2003 box and had no problems with the agent and ar conf files getting copied over to that one. I'm assuming *everything* is transmitted over 1514 right? I'm tempted to just copy the agent.conf and ar.conf onto this box at this point...
