How can the be done now? We have just moved to all central agents and need this feature to work.
Joe On Fri, Jul 29, 2011 at 18:21, dan (ddp) <ddp...@gmail.com> wrote: > Sorry for asking for the agent.conf. This is a change that was made. > Commands can no longer be configured through the agent.conf. > https://bitbucket.org/dcid/ossec-hids/changeset/392c217c553b > I'm not entirely sure why, but that's the way it is. > > On Fri, Jul 29, 2011 at 12:24 PM, BP9906 <crazi...@gmail.com> wrote: >> <agent_config os="Windows"> >> <syscheck> >> <!-- <frequency>31557600</frequency> --> >> <scan_time>01:15</scan_time> >> <scan_on_start>no</scan_on_start> >> >> </syscheck> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>ver | find "5.0" >nul || reg QUERY HKLM\System >> \CurrentControlSet\Enum\USBSTOR</command> >> </localfile> >> >> <localfile> >> <log_format>full_command</log_format> >> <command>netstat -an | find "LISTEN" | find /V "127.0.0.1"</ >> command> >> </localfile> >> >> </agent_config> >> >> >> On Jul 29, 9:03 am, "dan (ddp)" <ddp...@gmail.com> wrote: >>> Can you provide the agent.conf? >>> >>> >>> >>> >>> >>> >>> >>> On Fri, Jul 29, 2011 at 11:32 AM, BP9906 <crazi...@gmail.com> wrote: >>> > Figured out that 2.6 doesnt like the full_command agent.conf section >>> > and thats a bug. Reverting to 2.5.1 resolves the issue. >>> >>> > On Jul 28, 9:04 am, BP9906 <crazi...@gmail.com> wrote: >>> >> Hello, >>> >> I added a few windows changes to the agent.conf file. After waiting a >>> >> few hours for the agent.conf to get updated, I restarted the agent and >>> >> noticed an odd error in the ossec.log: >>> >>> >> 011/07/28 08:44:33 ossec-agent: Received exit signal. >>> >> 2011/07/28 08:44:33 ossec-agent: Exiting... >>> >> 2011/07/28 08:44:33 ossec-agent: Remote commands are not accepted from >>> >> the manager. Ignoring it on the agent.conf >>> >> 2011/07/28 08:44:33 ossec-agent(1202): ERROR: Configuration error at >>> >> 'shared/agent.conf'. Exiting. >>> >> 2011/07/28 08:44:33 ossec-execd(1350): INFO: Active response disabled. >>> >> Exiting. >>> >> 2011/07/28 08:44:33 ossec-agent(1410): INFO: Reading authentication >>> >> keys file. >>> >>> >> Oddly enough, different machine with 2.5 does not show this and has >>> >> the same md5 agent.conf. >>> >>> >> I'm in process of downgrading the 2.6 agent to 2.5 and confirm >>> >> resolution. >>> >>> >> Any ideas whats going on here? > -- Registered Linux User # 379282