Hello All,
Taking some advice on this list, I converted all my agents to a
minimal ossec.conf(just the server IP). Inside the agent.conf
file on the server, I have my entire configuration. This is working
quite nicely now, but I have one nagging issue. I keep getting
alerts regarding file changes that should be ignored.I have checked
and double-checked the ignore rules for syntax errors
in the file name, and still the alerts come in.
Example:
<agent_config name="myhost1|myhost2">
<syscheck>
<frequency>86400</frequency>
<directories check_all="yes">/mnt,/nsr,/usr,/bin,/sbin,/lib,/
etc,/root,/boot</directories>
<ignore>/nsr/logs</ignore>
</syscheck>
</agent_config>
I do not have this issue on new agents. Checksum of agent.conf has
been verified with agent_control. Manual deletion of
file entries from /var/ossec/queue/syscheck/(hostname file) and client/
server restarts but still the ignored entries get added back to
the file.
-Reggie
