Hmm...no, the new hash does not appear in the syscheck db: #++7771:33056:0:999:c7ec0b76a893d45bd5bca7e41460fdc0:d4fa0a53abacae5874fea3b728a90f53309b1386 !1452609712 /var/ossec/etc/shared/agent.conf #++7713:33056:0:999:bc9b5870c5f02a2057f9ca2a98223d2b:5660d35c73cb91427951297f891a8dce2171baf2 !1452611210 /var/ossec/etc/shared/agent.conf #!+7597:33056:0:999:60f946976a7e123d4039cacb334eebdf:e849702ac9b06a3daab54028a86bdb901a5e01e6 !1452618137 /var/ossec/etc/shared/agent.conf !!!7616:33056:0:999:88ab90aad2b886a896963eab9483c6ae:cd3e04ca6692a9c33326b4e02e7060fd508bfd1a !1452650958 /var/ossec/etc/shared/agent.conf
root@sonion-01:/var/ossec/queue/syscheck# md5sum /var/ossec/etc/shared/agent.conf a8bf8d66f2bb034515ebbb882e1b7c94 /var/ossec/etc/shared/agent.conf Do I need to wait until the syscheck runs on the server? If so, is there a way to expedite this? Thanks! On Wednesday, January 13, 2016 at 8:43:08 AM UTC-5, dan (ddpbsd) wrote: > > > On Jan 13, 2016 8:41 AM, <[email protected] <javascript:>> wrote: > > > > So....I've read in various places that it should be possible to define > an active response to automatically restart the Windows OSSEC agent when a > change to agent.conf is detected...but I can't get it to work! > > > > Here's what I have: > > > > ossec.conf (client, v2.8.3) > > ************************** > > <syscheck> > > <directories check_all="yes">C:\Program Files > (x86)\ossec-agent\shared\agent.conf</directories> > > </syscheck> > > > > <active-response> > > <disabled>no</disabled> > > </active-response> > > > > ossec.conf (server, v2.8.2) > > ************************** > > <command> > > <name>restart-win-agent</name> > > <executable>restart-ossec.cmd</executable> > > <expect></expect> > > <timeout_allowed>no</timeout_allowed> > > </command> > > > > <active-response> > > <command>restart-win-agent</command> > > <location>local</location> > > <rules_group>win_agent.conf_changed</rules_group> > > </active-response> > > > > > > local_rules.xml (server) > > ************************** > > <rule id="100001" level="7"> > > <if_group>syscheck</if_group> > > <match>:\Program Files (x86)\ossec-agent\shared\agent.conf$</match> > > <group>win_agent.conf_changed</group> > > <description>Windows agent.conf File Changed</description> > > </rule> > > > > > > When I make a change to agent.conf on the server, it pushes the change > to the client, but the agent is not restarted. Can anyone indicate where > the problem may be? > > > > Does the agent detect the change (is the correct hash in the syscheck db > on the server)? Is AR enabled on the agent? > > > Thanks! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
