If I am reading your problem - you are saying "ossec.conf" on the AGENT is not being overwritten -- if this is correct - then yes, it is not - it won't. Only agent.conf gets pushed to the agents. ossec.conf is set manually on agents, so if you expect it to get changes - you need to use puppet or some other method.
cheers K On Wednesday, November 28, 2012 5:25:31 AM UTC-8, dan (ddpbsd) wrote: > > On Tue, Nov 27, 2012 at 7:29 PM, funwithossec <[email protected]<javascript:>> > wrote: > > All, > > Apologies if this has been covered, but I sure couldn't find it > :-) > > > > In my lab I have a central ossec 2.6 server on Ubuntu and one client on > > Centos, set them up with active response and followed procedure here: > > http://www.ossec.net/doc/manual/agent/agent-configuration.html > > > > agent.conf is written to the client upon restart of server and client > > > > ossec.conf is not overwritten > > > > This feels like a permissions error, agent.conf is owned by ossec:ossec > and > > ossec.conf is owned by root:root and is not writable by other than root, > > this is default as far as I can tell and I don't want to muck with it > unless > > I have to. > > > > Any help would be...helpful :-) > > > > -Thanks > > > > > > What's the problem? You haven't identified it at all. >
