Give it a shot. I don't think it'll hurt anything.
On Fri, Aug 27, 2010 at 2:56 PM, blacklight <vphu...@yahoo.com> wrote: > My ar.conf file has yet to appear after close to one hour. Do you want > me to try with your method below? > > > On Aug 27, 2:49 pm, "dan (ddp)" <ddp...@gmail.com> wrote: >> I tried doing this and getting the file back took a bit. I ended up >> creating a blank ar.conf (with correct permissions), restarting the >> server and the agent. It eventually came back. Not sure if all of that >> was necessary, I just didn't feel like waiting. >> >> >> >> On Fri, Aug 27, 2010 at 2:15 PM, blacklight <vphu...@yahoo.com> wrote: >> > Letting you know that I moved the ar.conf file out of the shared >> > directory of the mercury OSSEC agent host, and the listing below shows >> > what I got for the shared directory: >> >> > [r...@mercury shared]# ls -l >> > total 176 >> > -rwxrwx--- 1 root ossec 3764 Aug 27 14:00 agent.conf >> > -rwxrwx--- 1 root ossec 9487 Aug 27 14:00 cis_debian_linux_rcl.txt >> > -rwxrwx--- 1 root ossec 8184 Aug 27 14:00 cis_rhel5_linux_rcl.txt >> > -rwxrwx--- 1 root ossec 14241 Aug 27 14:00 cis_rhel_linux_rcl.txt >> > -rw-r--r-- 1 ossec ossec 77829 Aug 27 14:00 merged.mg >> > -rwxrwx--- 1 root ossec 14925 Aug 27 14:00 rootkit_files.txt >> > -rwxrwx--- 1 root ossec 5307 Jun 3 2009 rootkit_trojans.txt >> > -rwxrwx--- 1 root ossec 0 Sep 2 2009 -svn >> > -rwxrwx--- 1 root ossec 7975 Aug 27 14:00 system_audit_rcl.txt >> > -rwxrwx--- 1 root ossec 4676 Aug 27 14:00 win_applications_rcl.txt >> > -rwxrwx--- 1 root ossec 3853 Aug 27 14:00 win_audit_rcl.txt >> > -rwxrwx--- 1 root ossec 4923 Aug 27 14:00 win_malware_rcl.txt >> >> > Note that the file ar.conf is completely missing. >> >> > Frustratingly enough, the contents of merged.mg show the contents >> > (current and correct) of the ar.conf file on the OSSEC server host: >> >> > !203 ar.conf >> > restart-ossec0 - restart-ossec.sh - 0 >> > restart-ossec0 - restart-ossec.cmd - 0 >> > firewall-drop600 - firewall-drop.sh - 600 >> > firewall-drop3600 - firewall-drop.sh - 3600 >> > win_nullroute600 - route-null.cmd - 600
