FYI - agent.conf extends the settings in ossec.conf. You should have a minimal set of instructions in ossec.conf, usually the server and those that will not function in agent.conf, i.e. full_command, etc.
Scott On Nov 28, 2012, at 9:45 AM, funwithossec <[email protected]> wrote: > > On Wednesday, November 28, 2012 8:45:04 AM UTC-8, Kat wrote: > If I am reading your problem - you are saying "ossec.conf" on the AGENT is > not being overwritten -- if this is correct - then yes, it is not - it won't. > Only agent.conf gets pushed to the agents. ossec.conf is set manually on > agents, so if you expect it to get changes - you need to use puppet or some > other method. > > cheers > K > > Kat, > Ahh, thanks for the answer, after I read Dan's comment I was pretty sure > it would take a 3rd party mechanism to get agent.conf into ossec.conf. > -Thanks all :-) > > > > On Wednesday, November 28, 2012 5:25:31 AM UTC-8, dan (ddpbsd) wrote: > On Tue, Nov 27, 2012 at 7:29 PM, funwithossec <[email protected]> wrote: > > All, > > Apologies if this has been covered, but I sure couldn't find it :-) > > > > In my lab I have a central ossec 2.6 server on Ubuntu and one client on > > Centos, set them up with active response and followed procedure here: > > http://www.ossec.net/doc/manual/agent/agent-configuration.html > > > > agent.conf is written to the client upon restart of server and client > > > > ossec.conf is not overwritten > > > > This feels like a permissions error, agent.conf is owned by ossec:ossec and > > ossec.conf is owned by root:root and is not writable by other than root, > > this is default as far as I can tell and I don't want to muck with it > > unless > > I have to. > > > > Any help would be...helpful :-) > > > > -Thanks > > > > > > What's the problem? You haven't identified it at all.
