On Wed, Feb 1, 2017 at 1:12 PM, <[email protected]> wrote: > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having > content back to being blank a number of times here without having any > interaction on the server. Has anyone else experienced this? >
Did you install OSSEC from source, or from a package? > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: >> >> On Wed, Feb 1, 2017 at 12:25 PM, <[email protected]> wrote: >> > Hello All, >> > >> > I am currently working on a central ossec.conf file which contains our >> > Windows and Linux configurations for all clients. Here are a few >> > background >> > details: >> > >> > 1. We currently only have a few Linux deployments and roughly 6 Windows >> > deployments as a POC >> > 2. All clients have a custom config, specific to Windows or Linux >> > >> > Now, I'd like to manage clients going forward with a central config file >> > using agent.conf within /var/ossec/etc/shared. I've followed these >> > steps: >> > >> > 1.Created an agent.conf file, and ran verify-agent-conf without any >> > issues. >> > 2. Ran MD5SUM against the agent.conf and noted hash >> > 3. Ran agent-control -R <ID> against a few clients >> > 4. Ran agent-control -i <ID> and verified that the MD5 changed to match >> > the >> > agent.conf hash >> > 5. I review the agent.conf file on a Windows client that had updated and >> > it >> > is blank >> > 6. I review the merged.mg file on the same client and I do see within >> > the >> > file that the custom agent.conf from the server is present >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it >> > is >> > completely blank with a different MD5 >> > >> > Can anyone explain why the agent.conf on the server would have the >> > content >> > removed? My guess is that if the client doesn't have this info in the >> > agent.conf that it is only reading their local ossec.conf file? >> > >> > As a side note, do I need to re-deploy a new ossec.conf to clients out >> > there >> > with only the server IP configuration or will OSSEC merge the config >> > with >> > the agent.conf on the server? >> > >> >> There shouldn't be anything in ossec that will blank the agent.conf on >> the server. >> If there is no agent.conf, the agent will use the ossec.conf. >> The running configuration merges the ossec.conf and agent.conf. >> >> > Thanks all for the help! >> > >> > Eric >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
