I am testing out Centralized agent configuration to a Windows machine. Setup ===== Manger: * CentOS 5 * OSSEC v2.6 * Created and modified /var/ossec/etc/shared/agent.conf * For testing purposed I copied everything from the windows ossec.conf "Default Configuration" to the agent.conf. * Modified permission as followed: -rw-r--r-- 1 root ossec 902 Jan 16 09:59 agent.conf
Agent: * Windows 2003 * Windows agent version 2.6 * Installed as running as expected >From the Documentation, >http://www.ossec.net/doc/manual/agent/agent-configuration.html it is not entirely clear how this works. At first I was waiting for C:\Program Files\ossec-agent\ossec.conf to be modified after trying to push out the configuration from the manager (restarted the manager and forced a integrity/rootkit check on the client). I thought it would replace the content in C:\Program Files\ossec-agent\ossec.conf with the configuration applicable configuration settings in /var/ossec/etc/shared/agent.conf. I finally realized that it copies /var/ossec/etc/shared/agent.conf to C:\Program Files\ossec-agent\shared\agent.conf. So it looks like it is working. This would explain why I see the following error message: 2012/01/16 08:55:54 ossec-agent(1756): ERROR: Duplicated directory given: 'C: \WINDOWS/win.ini'. Does this mean the windows agent loads both ossec.conf and shared/ agent.conf? If so, which one has precedence? For examples if I have "<frequency>72000</frequency>" in ossec.conf and "<frequency>43200</ frequency>" in shared/agent.conf, which setting gets applied? Bonus Question I also have the following WARNings in my log (on the windows machine): 2012/01/16 13:48:24 ossec-agent: INFO: Ending rootcheck scan. 2012/01/16 13:48:24 ossec-agent: INFO: Starting syscheck scan. 2012/01/16 13:55:03 ossec-agent: WARN: Unknown message received. No action defined. ....<repeated several time> 2012/01/16 13:55:05 ossec-agent: WARN: Unknown message received. No action defined. 2012/01/16 13:59:03 ossec-agent: INFO: Event count after '20000': 8179674->5417984 (66%) 2012/01/16 14:00:59 ossec-agent: INFO: Ending syscheck scan. 2012/01/16 14:01:45 ossec-agent: WARN: Unknown message received. No action defined. ...<repeated several time> This only started showing up after I started testing centralized agent configuration. If it helps I can post my agent.conf.
