Thank Dan and Kat. Unfortunately, I've found that a number of our Linux boxes don't have Inotify support. This was observed when I got the ossec-syscheckd "WARN" error about realtime monitoring being ignored (at least, I'm assuming that means Inotify is not supported or present).
We're still running a number of boxes on 2.4, and from poking around it looks like 2.6 was when inotify came out (although, I think I read in a post by your that it has been backported). In either case, it doesn't even look like inotify was installed on a majority of the systems. At best, it would be a mixed bag... Puppet sounds familiar. I think our team was researching it at some point but it fell on the backburner. I'm pretty certain we're not using a centralized package/patch management server for our Linux boxes at this point in time... Guess all this will have to come in due time. On Jul 14, 2:45 pm, "dan (ddp)" <[email protected]> wrote: > Linux has had inotify/realtime support for a while. Ancient distros > don't, but anything decently recent should. > Windows also supports realtime. > > > > > > > > On Thu, Jul 14, 2011 at 5:19 PM, jplee3 <[email protected]> wrote: > > Thanks Dan - I wish there was realtime monitoring of files. On the > > boxes I want this on, I have syscheck kicking off once every night. I > > guess that's enough though. Hopefully > > > On Jul 14, 12:34 pm, "dan (ddp)" <[email protected]> wrote: > >> I setup an active response to restart my agents when syscheck noticed > >> /var/ossec/etc/shared/agent.confhas changed. > > >> On Thu, Jul 14, 2011 at 3:06 PM, jplee3 <[email protected]> wrote: > >> > Hi all, > > >> > Does anyone have suggestions on pushingagent.confafter making > >> > changes and having this go into effect immediately? I'm specifically > >> > looking at when additions are made to monitor logfiles. > > >> > Theagent.confnormally gets pushed after some time. However, it > >> > doesn't seem like OSSEC will actually read the file until the next > >> > restart. > > >> > Is there a way to force the OSSEC agent to *always* restart after the > >> >agent.confis loaded? > > >> > Am I missing something here? > > >> > Thanks, > >> > Jeremy
