I've found that restarting OSSEC server and also restarting the OSSEC agents (not through agent_control but locally) results in agent.conf getting pushed out fastest. Side question on that: with restarting through agent_control, you need to enable active response right?
On Thu, Sep 30, 2010 at 9:35 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Sep 30, 2010 at 12:31 PM, Chris Decker <deckmo...@gmail.com> > wrote: > > All, > > > > Is there an easy way to force the OSSEC server to immediately push out > the > > latest copy of the <snip>/etc/shared/agent.conf? Even after restarting > the > > OSSEC server and forcing a restart using agent_control it seems to take > > forever. > > > > Nope, it is what it is. If you need it pushed out faster, consider > rolling it into a configurtion management setup. > > > Also, is there a good way to troubleshoot when the agent.conf doesn't > arrive > > on the agents after a long period of time? For example, if the > permissions > > on the agent.conf file prevent OSSEC from reading the file, is that > written > > somewhere? I'm having an issue where 1 of my 4 agents never receives the > > agent.conf, even though it can communicate with the OSSEC server, and > can't > > find a good way to troubleshoot. > > > > > > Make sure everything is running the same version (preferably a recent > one). Check permissions on both the working and non-working systems. > Try running various daemons in debug mode (-d flag). Make sure there > aren't junk directories in the ossec/etc/shared directory. > > > > > > > Thanks, > > Chris >