Re: [ossec-list] Removing agent by deleting line in client.keys?
Ok, thanks Pedro. I have changed the role to use 'manage_agents -r' and to restart the ossec server. Much nicer. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Removing agent by deleting line in client.keys?
Hi Barry, You can run manage_agents with option "-r" and it will remove an agent, so you can create some scripts to automatize the process. /var/ossec/bin/manage_agents -r AGENTID OSSEC has internally a hash table with client.keys table, removing manually from client.keys or using manage_agents -r in both cases you will need to restart OSSEC Manager to apply changes. On Monday, February 22, 2016 at 7:21:57 AM UTC+1, Barry Kaplan wrote: > > Thanks! Of course it would be much nicer manage_agents was a little nicer > to automation... > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Removing agent by deleting line in client.keys?
Thanks! Of course it would be much nicer manage_agents was a little nicer to automation... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Removing agent by deleting line in client.keys?
Short answer yes, deleting it from client.keys is enough. On the other hand, although it is not necessary, there are also some residual files you might want to delete as well. Those are in /var/ossec/queue/rids (message counters), /var/ossec/queue/syscheck (fim database), /var/ossec/queue/rootcheck (rootchecks database) and /var/ossec/queue/agent-info. Look for the files specific to your agent, do not delete everything in those directories. Best On Sun, Feb 21, 2016 at 6:59 AM, Barry Kaplanwrote: > Can I remove a registered agent by simply deleting the line in > client.keys? That is, skipping the manage_agents program? > > I am just adding the last few edge cases to our ansible provisioning of > ossec. My current edge case is when an > instance has been destroyed and rebuilt. In this case the name would be > the same but the IP address will > almost certainly be different (this is on AWS). > > It would be way way easier to remove the line from client.keys that figure > out to automate manage_agents. > It seems that the environment variable mechanism does not support removing > agents. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Removing agent by deleting line in client.keys?
Can I remove a registered agent by simply deleting the line in client.keys? That is, skipping the manage_agents program? I am just adding the last few edge cases to our ansible provisioning of ossec. My current edge case is when an instance has been destroyed and rebuilt. In this case the name would be the same but the IP address will almost certainly be different (this is on AWS). It would be way way easier to remove the line from client.keys that figure out to automate manage_agents. It seems that the environment variable mechanism does not support removing agents. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.