2

I have installed server and agent through binary installation(with preloaded_var.conf).The changes in the agent.conf file on the server is updated on the agent but when I restart the agent the changes in the agent.conf is not running.

When I used verify-agent-conf , I getting ERROR: Unable to open file '/queue/ossec/.agent_info' and no other errors.

agent.conf :

enter code here

                <localfile>
                <log_format>syslog</log_format>
                <location>/var/log/output.log</location>
                <alias>SAS LOG ALERT</alias>
                </localfile> 

                <localfile>
                <log_format>full_command</log_format>
                <command>netstat -ulpn|grep LISTEN |grep -v 127.0.0.1              | sort 
                </command>
                <alias>UDP Port Scan Alert  </alias>
                <frequency>3600</frequency>
                </localfile>

               <!-- Check Ossec process CPU usage in all Agent Machines -->
             <localfile>
             <log_format>full_command</log_format>
             <command>ps -eo pcpu,pid,user,args| grep ossec</command>
             <alias>Agent Process Details</alias>
             <frequency>3600</frequency>
             </localfile>
Chandira Mouli
  • 59
  • 6

1 Answers1

0

By default the agents will not accept commands from the centralized configuration. Agents must be explicitly configured to accept remote commands, you may enable this by setting logcollector.remote_commands=1 in the /var/ossec/etc/local_internal_options.conf.

You may find more information about the centralized configuration here: https://documentation.wazuh.com/4.0/user-manual/reference/centralized-configuration.html .

s-ocando
  • 36
  • 2