On Jan 13, 2016 8:56 AM, <[email protected]> wrote: > > Hmm...no, the new hash does not appear in the syscheck db: > > #++7771:33056:0:999:c7ec0b76a893d45bd5bca7e41460fdc0:d4fa0a53abacae5874fea3b728a90f53309b1386 !1452609712 /var/ossec/etc/shared/agent.conf > #++7713:33056:0:999:bc9b5870c5f02a2057f9ca2a98223d2b:5660d35c73cb91427951297f891a8dce2171baf2 !1452611210 /var/ossec/etc/shared/agent.conf > #!+7597:33056:0:999:60f946976a7e123d4039cacb334eebdf:e849702ac9b06a3daab54028a86bdb901a5e01e6 !1452618137 /var/ossec/etc/shared/agent.conf > !!!7616:33056:0:999:88ab90aad2b886a896963eab9483c6ae:cd3e04ca6692a9c33326b4e02e7060fd508bfd1a !1452650958 /var/ossec/etc/shared/agent.conf > > root@sonion-01:/var/ossec/queue/syscheck# md5sum /var/ossec/etc/shared/agent.conf > a8bf8d66f2bb034515ebbb882e1b7c94 /var/ossec/etc/shared/agent.conf > > Do I need to wait until the syscheck runs on the server? If so, is there a way to expedite this? >
Yes, syscheck has to check the file before the entry will be updated. You canset it to real time, but you might have to monitor the directory and not just the file. Restarting the agent may also kick off a syscheck scan. > Thanks! > > On Wednesday, January 13, 2016 at 8:43:08 AM UTC-5, dan (ddpbsd) wrote: >> >> >> On Jan 13, 2016 8:41 AM, <[email protected]> wrote: >> > >> > So....I've read in various places that it should be possible to define an active response to automatically restart the Windows OSSEC agent when a change to agent.conf is detected...but I can't get it to work! >> > >> > Here's what I have: >> > >> > ossec.conf (client, v2.8.3) >> > ************************** >> > <syscheck> >> > <directories check_all="yes">C:\Program Files (x86)\ossec-agent\shared\agent.conf</directories> >> > </syscheck> >> > >> > <active-response> >> > <disabled>no</disabled> >> > </active-response> >> > >> > ossec.conf (server, v2.8.2) >> > ************************** >> > <command> >> > <name>restart-win-agent</name> >> > <executable>restart-ossec.cmd</executable> >> > <expect></expect> >> > <timeout_allowed>no</timeout_allowed> >> > </command> >> > >> > <active-response> >> > <command>restart-win-agent</command> >> > <location>local</location> >> > <rules_group>win_agent.conf_changed</rules_group> >> > </active-response> >> > >> > >> > local_rules.xml (server) >> > ************************** >> > <rule id="100001" level="7"> >> > <if_group>syscheck</if_group> >> > <match>:\Program Files (x86)\ossec-agent\shared\agent.conf$</match> >> > <group>win_agent.conf_changed</group> >> > <description>Windows agent.conf File Changed</description> >> > </rule> >> > >> > >> > When I make a change to agent.conf on the server, it pushes the change to the client, but the agent is not restarted. Can anyone indicate where the problem may be? >> > >> >> Does the agent detect the change (is the correct hash in the syscheck db on the server)? Is AR enabled on the agent? >> >> > Thanks! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
