On Wed, Apr 27, 2016 at 10:54 AM, sandeep <sandeepgant...@gmail.com> wrote: > Hello All, > > We used the auto_ignore option in agent.conf file and when the OSSEC service > was started on the agents it stopped monitoring the directories saying > "syscheck is disabled" in the ossec.log file. >
According to the documentation the auto_ignore option is only valid on local and server installations: https://ossec.github.io/docs/syntax/head_ossec_config.syscheck.html?highlight=auto_ignore I don't believe the servers use the agent.conf. > 2016/04/27 10:40:05 ossec-agent: Starting syscheckd thread. > 2016/04/27 10:40:05 ossec-agent(1702): INFO: No directory provided for > syscheck to monitor. > 2016/04/27 10:40:05 ossec-agent: WARN: Syscheck disabled. > > Auto_ignore configuration in Agent.conf file: > > <agent_config os="Windows"> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours, > below - 604800 seconds is equal to 1 week, 64800 seconds is equal to 18 > hours --> > <frequency>64800</frequency> > <auto_ignore>no</auto_ignore> > > When the auto_ignore option line was removed from the agent.conf file and > restarted the OSSEC service the ossec.log file updated saying "monitoring > directories" etc.. > > I have the same configuration for Linux, Aix and Solaris too, > > <agent_config os="Linux"> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours, > below - 604800 seconds is equal to 1 week, 64800 seconds is equal to 18 > hours --> > <frequency>64800</frequency> > <auto_ignore>no</auto_ignore> > > <agent_config os="SunOS"> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours, > below - 604800 seconds is equal to 1 week, 64800 seconds is equal to 18 > hours --> > <frequency>64800</frequency> > <auto_ignore>no</auto_ignore> > > <agent_config os="AIX"> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 6 hours, > below - 604800 seconds is equal to 1 week, 64800 seconds is equal to 18 > hours --> > <frequency>64800</frequency> > <auto_ignore>no</auto_ignore> > > Even though the same "auto_ignore" configurtion was setup for Linux, Aix and > Solaris, I see that on few of the Linux agents it does monitor the > directories and on few of them it won't. It happens the same for Aix & > Solaris too. > > Is it a good option to have auto_ignore option in the agent.conf file at all > ? OR do you think it is having issues monitoring only on the windows agents > and work well on the Linux, Aix and Solaris ? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
