>>Verify that the agent processes were restarted after the agent.conf was pushed.
Not sure how to do this (bare with me) Once i made change to agent.conf on the server. After a long time i see that the same agent.conf shows up on /var/ossec/etc/shared/agent.conf (On the agent). Verified by running agent_control on the server as well -i ... that tells me no difference in hash of the file on server and agent. On the side I had already put this in place >> http://devio.us/~ddp/ossec/docs/cookbooks/recipes/ar-agent-conf-restart.html# Here is my part of the config (similar to the doc) >From Server - /var/ossec/rules/local_rules.xml <rule id="100050" level="1"> <if_group>syscheck</if_group> <match>/var/ossec/etc/shared/agent.conf</match> <description>agent.conf was modified</description> </rule> >From Server - /var/ossec/etc/ossec.conf <command> <name>restart-ossec</name> <executable>restart-ossec.sh</executable> <expect></expect> </command> <active-response> <!-- This response will restart ossec on agents when - rule 100050 local rule hits i.e there is - there is a change in central agent.conf file. --> <command>restart-ossec</command> <location>local</location> <rules_id>100050</rules_id> </active-response> FYI - these sections of config dont exist on Agent .. only on Server's (ossec.conf) Please let me know if these sections need to be on agent as well (Which i highly doubt, since there are no rules on the agent) >> Make sure the agent.conf was actually updated properly. Yep i see that the agent.conf gets successfully replicated to the agents from the HID server (based on comparing the Hash from the server as well) >> Double check to make sure that the agent you're testing on should actually be using the block you've defined in agent.conf. > <agent_config> > > > <syscheck> > > <alert_new_files>yes</alert_new_files> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/home</directories> > > <ignore type="sregex">.log$|.tmp</ignore> > > <ignore>/etc/motd</ignore> > <ignore>/home/mysql</ignore> > <ignore>/home/mongodb</ignore> > <ignore>/home/backups</ignore> > > </syscheck> > > </agent_config> This config is fairly generic to load /home folder for File monitoring. Every agent has and require that. Regards AJ On Thursday, March 20, 2014 6:20:16 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Mar 19, 2014 at 4:32 PM, Anuj AJ <[email protected] <javascript:>> > wrote: > > Greetings. > > > > Went through other information about managing centralized agent.conf > through > > ossec HID server. > > It has successfully been able to update the agent.conf on the agents > > (although it take sometime, which is fine) > > > > Here is the problem - > > > > This is my agent.conf - > > > > > > <agent_config> > > > > > > <syscheck> > > > > <alert_new_files>yes</alert_new_files> > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories check_all="yes">/home</directories> > > > > <ignore type="sregex">.log$|.tmp</ignore> > > > > <ignore>/etc/motd</ignore> > > <ignore>/home/mysql</ignore> > > <ignore>/home/mongodb</ignore> > > <ignore>/home/backups</ignore> > > > > </syscheck> > > > > </agent_config> > > > > The Ossec.conf on the AGENT is the generic conf that comes out of the > box, > > and im trying to push other requirements through agent.conf from the > server. > > > > > > Although I do get alerts from ossec, about changes made to files / new > files > > added to the system on generic folders (through generic config) - /etc , > > /sbin etc etc. > > Iam not getting any changes from the /home folder from agents, about new > > files added or files changed. > > > > > > Help regarding this would be highly appreciated :) > > > > Verify that the agent processes were restarted after the agent.conf was > pushed. > Make sure the agent.conf was actually updated properly. > Double check to make sure that the agent you're testing on should > actually be using the block you've defined in agent.conf. > > > Thanks > > AJ > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
