On Tue, Sep 5, 2017 at 4:21 PM, Leroy Tennison <[email protected]> wrote: > Just beginning to use OSSEC and going through a trial-and-error process > setting up a configuration for an internal application. Searched for this > before posting and ended up with more questions than answers. > > https://groups.google.com/forum/#!msg/ossec-list/8P52JbzyOPg/pGGI-6_KrD0J;context-place=forum/ossec-list > posed my question but the context leaves more questions: > > I realize > http://ossec-docs.readthedocs.io/en/latest/cookbooks/recipes/ar-agent-conf-restart.html > is user contributed but its reference to restart-ossec.sh seems incomplete > because there's no parameter and running restart-ossec.sh without parameters
ossec-execd will run the configured script with some parameters. I forget what they are by default, probably just dashes for that script. > produces an error (on v 2.9.2). Second, restart-ossec.sh appears to deal > with updates to hosts.deny, did they just borrow the script? Third, this It's a general script to restart the OSSEC processes. > URL restarts OSSEC on the manager but how does that cause a restart on the > agents (which seems necessary to get agent.conf updated on them)? > https://ossec.github.io/docs/syntax/head_ossec_config.active-response.html#element-location 'local' in this context means the agent that generated the log message. So in this case it would be the agent whose agent.conf was replaced. > Maybe answering an alternate question is more appropriate, if I need to > update agent.conf, what are the steps I need to take to successfully > propagate the change? (These questions are coming from the bottom of Restart the OSSEC processes on the agent. > https://ossec.github.io/docs/manual/syscheck/index.html since the situation > seems similar) Does the OSSEC manager's processes need to be stopped then > restarted after clearing the agent's database and, following that, a > syscheck scan launched on the agent? > If you are going to clear a syscheck database, you should stop the manager before doing it. This isn't an every day sort of action though, I've only done it a hand full of times (mostly while testing things, I think). > Thanks for clearing up the confusion. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
