Hi Folks
Has ever someone saw that behavior before...
I'm in an server-agent Setup with 3 agents (Linux, Solaris, Windows), the
OSSEC manager (server) is running on a Linux OS as well. According to the
documentation, I have setup the server and agents to restart after
agent.conf have been modified. That works fine, I can really see how first
the manager and later the agents do the restart.
Now my problem. On the OSSEC manager I see sometimes that there are two
ossec-syscheckd processes running when the automatic restart was processed
both have the same timestamp and "lsof" shows they both use the same files.
This looks very nasty to me and I could not figure how I can 100% recreate
that behavior, since sometimes it works like you would assume and only one
ossec-syscheckd process is started.
Here is what I have configured in the ossec.conf on the manager
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<command>
<name>win_restart-ossec</name>
<executable>restart-ossec.cmd</executable>
<expect></expect>
</command>
<!-- Active Response Config -->
<active-response>
<command>restart-ossec</command>
<location>local</location>
<rules_id>100003</rules_id>
</active-response>
<active-response>
<command>win_restart-ossec</command>
<location>local</location>
<rules_id>100004</rules_id>
</active-response>
I hope someone can help with that problem.
Kind regards,
Oliver
