OK it works. So no it is automatically split them into agent.conf. But it is only when there is changes in the server agent.conf - that is it get updated . But it wont parse the config the first restart of the agent.
Basically: * Change in the server - restart server * restart client The client does not pick up the config yet, but the merge.mg is updated and then portion of it splitted into agent.conf. It is not being picked up by client probably the order of action. I need to restart again in order to make it work - which means restart client twice. On Thu, Aug 2, 2012 at 10:30 PM, dan (ddp) <[email protected]> wrote: > On Thu, Aug 2, 2012 at 8:25 AM, dan (ddp) <[email protected]> wrote: > > On Wed, Aug 1, 2012 at 10:08 PM, Steve Kieu <[email protected]> > wrote: > >> Probably can not ln it as the format of teh merge.mg is different from > the > >> normal xml config file, part of it is xml containing the config section > and > >> other part is not. > >> > >> I am confused. What ossec is use the merged.mg file for and why it is > not > >> picked up. > >> > > > > merged.mg should get split into a number of files, one of them being > > the current agent.conf. Did that happen? > > > > If it didn't happen, try creating a blank agent.conf with the proper > permissions (I think I've posted those in this thread) and try again. > > If that did happen, did any of the other items in the agent.conf get > picked up properly (are the localfiles being monitored)? > > > >> > >> > >> On Thu, Aug 2, 2012 at 12:05 PM, Steve Kieu <[email protected]> > wrote: > >>>>> > >>>>> > >>>>> Try blanking the merged.mg. > >>>> > >>>> > >>>> Looks like it does the trick. I cp /dev/null into it and then restart > >>>> both - after restarting the file is populated with datra again pushed > from > >>>> the server in that section for the client name. > >>>> > >>>> Need to wait or do some testing to see if it is actually using that > merge > >>>> file for the config as I still do not see in the log that monitor > these > >>>> entry yet (in the merged.mg file) > >>>> > >>> > >>> > >>> So it has thing pushed to merge.mg file but it is not picked up. I > >>> manually run > >>> > >>> bin/agent_control -r -a > >>> > >>> in the server and wait for a while, the in the client log it says: > >>> > >>> 2012/08/02 11:58:13 ossec-rootcheck: INFO: Starting rootcheck scan. > >>> 2012/08/02 11:58:13 ossec-rootcheck: No rootcheck_files file > configured. > >>> 2012/08/02 11:58:13 ossec-rootcheck: No rootcheck_trojans file > configured. > >>> 2012/08/02 11:59:09 ossec-rootcheck: INFO: Ending rootcheck scan. > >>> 2012/08/02 12:04:09 ossec-rootcheck: INFO: Starting rootcheck scan. > >>> 2012/08/02 12:04:09 ossec-rootcheck: No rootcheck_files file > configured. > >>> 2012/08/02 12:04:09 ossec-rootcheck: No rootcheck_trojans file > configured > >>> > >>> Obviously I saw all it is configure in the merge.pg file. Do we need > to > >>> sym link it to ossec.conf file? > >>> > >>> > >>> > >>> > >>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Steve Kieu > >>> > >>> > >>> > >>> > >>> -- > >>> Steve Kieu > >> > >> > >> > >> > >> -- > >> Steve Kieu > -- Steve Kieu
