ossec reload config files

[Michael Altfield]

Hello,

I was wondering if there was a way to tell ossec to reload its
configuration files without having to restart the process.

For example, running `/etc/init.d/sshd restart` completely shuts down
and starts up the ssh daemon. This contrasts from `/etc/init.d/sshd
reload`in that *reload* cause sshd to reload it's configuration file (/
etc/ssh/sshd_config) without having to shut down the ssh daemon (so
there is no downtime for users trying to connect to the server).

Is it possible to have ossec reload its configuration files without
shutting it down (either with a built-in capability or by means of a
hack)?


TIA
-Michael

[Daniel Cid]

Hi Michael,

There is no way to do this out of the box, but we plan to add this
option in the future.

As a hack, it is possible but depends on which change you made.

If you only modified a log file to be monitored, you can kill only the
ossec-logcollector process
and leave all others running (killall ossec-logcollector;
/var/ossec/bin/ossec-logcollector) and
to the same most syscheck/rootcheck (only kill ossec-syscheckd).

The only exception is ossec-analysisd, which if you kill it, the other
processes will not work
until you start it back.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

[Michael Altfield]

Daniel,

Thank you for the response.

Can you tell me which process would need to be manually restarted to reload the 'rules/local_rules.xml' file?


Thanks,
Michael