So....I've read in various places that it should be possible to define an
active response to automatically restart the Windows OSSEC agent when a
change to agent.conf is detected...but I can't get it to work!
Here's what I have:
ossec.conf (client, v2.8.3)
**************************
<syscheck>
<directories check_all="yes">C:\Program Files
(x86)\ossec-agent\shared\agent.conf</directories>
</syscheck>
<active-response>
<disabled>no</disabled>
</active-response>
ossec.conf (server, v2.8.2)
**************************
<command>
<name>restart-win-agent</name>
<executable>restart-ossec.cmd</executable>
<expect></expect>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>restart-win-agent</command>
<location>local</location>
<rules_group>win_agent.conf_changed</rules_group>
</active-response>
local_rules.xml (server)
**************************
<rule id="100001" level="7">
<if_group>syscheck</if_group>
<match>:\Program Files (x86)\ossec-agent\shared\agent.conf$</match>
<group>win_agent.conf_changed</group>
<description>Windows agent.conf File Changed</description>
</rule>
When I make a change to agent.conf on the server, it pushes the change to
the client, but the agent is not restarted. Can anyone indicate where the
problem may be?
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
