This is this the kind of thing that is likely better (easily)
implemented outside of the main
ossec managers. Maybe an external tool or cron.
I use the following shell script for example (added to cron to run
every 10min to restart ossec in case the IP changes):
#!/bin/sh
mydomain=`cat /var/ossec/etc/ossec.conf |grep "server-hostname>" | cut
-d ">" -f 2 | cut -d "<" -f 1`
myip=`host $mydomain |grep "has address" | head -n 1 | cut -d " " -f 4`
if [ "x$myip" = "x" ]; then
echo "$0: DNS lookup failed."
exit 1;
fi
ls /tmp/oldossecip >/dev/null 2>&1
if [ ! $? = 0 ]; then
echo $myip > /tmp/oldossecip
/var/ossec/bin/ossec-control restart
exit 0;
fi
oldip=`cat /tmp/oldossecip`
if [ ! "x$oldip" = "x$myip" ]; then
echo $myip > /tmp/oldossecip
/var/ossec/bin/ossec-control restart
exit 0;
fi
exit 0;
Try it out and see if it works for you.
On Fri, Feb 26, 2016 at 10:32 PM, Barry Kaplan <[email protected]> wrote:
> Another question: My original scenario was when there was NO dns yet to
> resolve -- only later did the dns record get added. In that case. What I was
> seeing in that case was the agent would keep issue the error that it could
> not connect. But if the agent was not even able to resolve to an ip why
> would it bother to keep trying to connect?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
