Did you restart the agents after changing the ossec.conf and agent.conf? Syscheckd reads its configuration once at startup, and then runs in an infinite loop. If the config changes, you will need to restart the process.
On Thu, Jul 7, 2011 at 5:03 PM, reg <regoma...@gmail.com> wrote: > Hello All, > > Taking some advice on this list, I converted all my agents to a > minimal ossec.conf(just the server IP). Inside the agent.conf > file on the server, I have my entire configuration. This is working > quite nicely now, but I have one nagging issue. I keep getting > alerts regarding file changes that should be ignored.I have checked > and double-checked the ignore rules for syntax errors > in the file name, and still the alerts come in. > > Example: > > <agent_config name="myhost1|myhost2"> > <syscheck> > <frequency>86400</frequency> > <directories check_all="yes">/mnt,/nsr,/usr,/bin,/sbin,/lib,/ > etc,/root,/boot</directories> > <ignore>/nsr/logs</ignore> > </syscheck> > </agent_config> > > I do not have this issue on new agents. Checksum of agent.conf has > been verified with agent_control. Manual deletion of > file entries from /var/ossec/queue/syscheck/(hostname file) and client/ > server restarts but still the ignored entries get added back to > the file. > > -Reggie
