On Wed, Nov 23, 2011 at 4:47 AM, alsdks <[email protected]> wrote: > Yes I got it to work eventually , get the agent.conf working that is. > > About the agent-control commands , I can query for information the > Windows agent but I cannot restart it . > > Active-response must be enabled for this ? >
Yes, active response is required for restarting the OSSEC processes remotely. > Thank you > > On Nov 17, 10:46 pm, "dan (ddp)" <[email protected]> wrote: >> On Thu, Nov 10, 2011 at 9:13 AM, alsdks <[email protected]> wrote: >> > Hello , >> >> > Another starter's question . I am trying to make agent.conf work but >> > with no luck so far . >> > I have created the /var/ossec/etc/shared/agent.conf with the following >> > entries : >> >> > <agent_config name=”windows7"> >> > <syscheck> >> > <frequency>72000</frequency> >> > <directories check_all="yes">c:\test\</directories> >> > </syscheck> >> > </agent_config> >> >> > <agent_config name=”solar1"> >> > <syscheck> >> > <frequency>72000</frequency> >> > <directories check_all="yes">/opt/test</directories> >> > </syscheck> >> > </agent_config> >> >> > The agent.conf does get copied on target machines (a windows system >> > and a Solaris one ) successfully with no errors .However ossec.log in >> > either system is not indicating that it is monitoring the directories >> > specified in agent.conf. And changes are not caught. >> >> > Am I missing something ? >> >> The agent names of these systems are "windows7" and "solar1"? Did you >> restart the OSSEC processes after the agent.conf was copied to the >> agent? >> >> > Oh and a couple of questions\notes : >> >> > -agent_control -R does not seem to do anything against Windows >> > platforms .In fact nothing of agent_control works against Windows ? Is >> > there a port that needs to be opened on the target system ? (server >> > side 1514 is open and in general I haven't anything blocking it ). Or >> > it does not work against Windows, period? >> >> Is active-response enabled on the Windows agent? >> >> > -agent.conf and ossec.conf of each system are combined .What happens >> > when values are contradicting ? >> > Does agent.conf override local configurations? >> >> I think ossec.conf wins, but I can't remember. It shouldn't be too hard to >> test. >> >> >> >> >> >> >> >> > Thank you ! >
