On Jan 13, 2016 8:41 AM, <[email protected]> wrote: > > So....I've read in various places that it should be possible to define an active response to automatically restart the Windows OSSEC agent when a change to agent.conf is detected...but I can't get it to work! > > Here's what I have: > > ossec.conf (client, v2.8.3) > ************************** > <syscheck> > <directories check_all="yes">C:\Program Files (x86)\ossec-agent\shared\agent.conf</directories> > </syscheck> > > <active-response> > <disabled>no</disabled> > </active-response> > > ossec.conf (server, v2.8.2) > ************************** > <command> > <name>restart-win-agent</name> > <executable>restart-ossec.cmd</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > > <active-response> > <command>restart-win-agent</command> > <location>local</location> > <rules_group>win_agent.conf_changed</rules_group> > </active-response> > > > local_rules.xml (server) > ************************** > <rule id="100001" level="7"> > <if_group>syscheck</if_group> > <match>:\Program Files (x86)\ossec-agent\shared\agent.conf$</match> > <group>win_agent.conf_changed</group> > <description>Windows agent.conf File Changed</description> > </rule> > > > When I make a change to agent.conf on the server, it pushes the change to the client, but the agent is not restarted. Can anyone indicate where the problem may be? >
Does the agent detect the change (is the correct hash in the syscheck db on the server)? Is AR enabled on the agent? > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
