On Mon, Jan 16, 2012 at 4:09 PM, tao_zhyn <[email protected]> wrote: > I am testing out Centralized agent configuration to a Windows machine. > > Setup > ===== > Manger: > * CentOS 5 > * OSSEC v2.6 > * Created and modified /var/ossec/etc/shared/agent.conf > * For testing purposed I copied everything from the windows ossec.conf > "Default Configuration" to the agent.conf. > * Modified permission as followed: -rw-r--r-- 1 root ossec 902 Jan > 16 09:59 agent.conf > > Agent: > * Windows 2003 > * Windows agent version 2.6 > * Installed as running as expected > > > From the Documentation, > http://www.ossec.net/doc/manual/agent/agent-configuration.html > it is not entirely clear how this works. > > At first I was waiting for C:\Program Files\ossec-agent\ossec.conf to > be modified after trying to push out the configuration from the > manager (restarted the manager and forced a integrity/rootkit check on > the client). I thought it would replace the content in C:\Program > Files\ossec-agent\ossec.conf with the configuration applicable > configuration settings in /var/ossec/etc/shared/agent.conf. >
At no point did I see anything in the documentation that suggested ossec.conf would be modified. Which part of the doc gave you this impression? I can try to work on making it better. > I finally realized that it copies /var/ossec/etc/shared/agent.conf to > C:\Program Files\ossec-agent\shared\agent.conf. So it looks like it > is working. > This would explain why I see the following error message: 2012/01/16 > 08:55:54 ossec-agent(1756): ERROR: Duplicated directory given: 'C: > \WINDOWS/win.ini'. > > Does this mean the windows agent loads both ossec.conf and shared/ > agent.conf? > If so, which one has precedence? For examples if I have > "<frequency>72000</frequency>" in ossec.conf and "<frequency>43200</ > frequency>" in shared/agent.conf, which setting gets applied? > I believe the ossec.conf version. I generally keep the ossec.conf on agents as simple as possible, usually containing only the IP of the manager. > > Bonus Question > I also have the following WARNings in my log (on the windows machine): > > 2012/01/16 13:48:24 ossec-agent: INFO: Ending rootcheck scan. > 2012/01/16 13:48:24 ossec-agent: INFO: Starting syscheck scan. > 2012/01/16 13:55:03 ossec-agent: WARN: Unknown message received. No > action defined. > ....<repeated several time> > 2012/01/16 13:55:05 ossec-agent: WARN: Unknown message received. No > action defined. > 2012/01/16 13:59:03 ossec-agent: INFO: Event count after '20000': > 8179674->5417984 (66%) > 2012/01/16 14:00:59 ossec-agent: INFO: Ending syscheck scan. > 2012/01/16 14:01:45 ossec-agent: WARN: Unknown message received. No > action defined. > ...<repeated several time> > > This only started showing up after I started testing centralized agent > configuration. If it helps I can post my agent.conf. > > Other than these messages, is the agent working? Please post the agent.conf, I've never seen these messages.
