On Jun 26, 2012 6:30 AM, "sahil sharma" <[email protected]> wrote: > > Hi > > When I change config at client side, the OSSEC Agent Manager at client's status is always :stopped. > I tried re-installing, restarting it numerous times. > > Please help. >
How? You didn't provide the error messages or configuration. Without those 2 things all I can do to help is tell you to fix your configuration. Why are you making this so difficult? > On Mon, Jun 25, 2012 at 1:40 AM, dan (ddp) <[email protected]> wrote: >> >> >> On Jun 24, 2012 3:36 PM, "sahil sharma" <[email protected]> wrote: >> > >> > >> > >> > On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> >> >> On Jun 22, 2012 6:16 AM, "sahil sharma" <[email protected]> wrote: >> >> >> >> >> >> >> >> >> This is for configuration changes, not rules: >> >> >> Your choice. If you want to use the agent.conf change it there. If you >> >> >> have a good change management system, changing the ossec.conf might be >> >> >> good enough. >> >> >> >> >> >> The OSSEC server does not use the agent.conf though, so if you're >> >> >> setting up something for the OSSEC server it'll have to be in that >> >> >> system's ossec.conf. >> >> >> >> >> > >> >> > (1) I have added following code to >var>ossec>etc>shared>agent.conf >> >> > >> >> >> >> As is documented in the full_command documentation, this has to go in the agent's ossec.conf. I apologize, I forgot about this restriction. >> > >> > >> > Please, clarify on this, I have to add the following code in agent's ossec.conf i.e I have a win7 agent so I must add it to >c>prog_files(x86)>ossec>ossec(config) ???? If yes, then do I need to put <agent_config os="Windows"> at start or not? >> > >> >> I guess that's the file. I don't do much with Windows. You do not need to add thar, since this isn't the agent.conf >> >> > 1) Do I need to remove this code from >var>ossec>etc>shared>agent.conf where I had previously added it? >> >> There's no good reason to have it there. >> >> > 2) Changing config at client side gives unusual problem in client's ossec agent which then display (check config:warning) when I >> > try to start/stop/restart the client ossec agent. >> >> What did you add? Where did you add it? Cryptically telling me you got an error doesn't do anyone any good. Maybe you should consult a sysadmin, or someone else with technical skills. >> >> > 3) Whats diff in adding in these two different files? >> >> >> >> > <agent_config os="Windows"> >> >> > >> >> > <localfile> >> >> > <log_format>full_command</log_format> >> >> > <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> >> >> > <alias>usb-check</alias> >> >> > </localfile> >> >> > >> >> > </agent_config> >> > >> > >> >> >> >> Regards,Sahil. >> > >> > > >
