agent.conf and syscheck disabled

[Ricardo Perre]

Hi,

I've removed all syscheck configs from agent.conf (also from ossec-agent.conf).
My conf looks like this:

<agent_config os="Linux">
  <!-- Files to monitor (localfiles) -->
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd/error_log</location>
  </localfile>

  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/httpd/access_log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

</agent_config>

When I start the agent I get:
ossec-syscheckd: WARN: Syscheck disabled.
(...)
ossec-syscheckd: INFO: Started (pid: 24096).
ossec-rootcheck: INFO: Started (pid: 24096).

So, it says syscheck is disabled, but it starts anyway.

My goal its to disable it.

Any ideas?
Thank you for your time.

[dan (ddp)]

Remove it from the ossec-control script.

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Ricardo Perre]

Thanks for you reply.

Can you be more specific?

What should i remove from that script? Should I read the code and figure it out?

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/P6iMIZC7o9I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Ricardo Perre

[Matthias Fraidl]

On 04/09/2015 01:20 PM, Ricardo Perre wrote:
> Thanks for you reply.
> Can you be more specific?
> What should i remove from that script? Should I read the code and figure it
> out?

have a look at the ${ossecdir}/bin/ossec-control script and remove the
ossec-syscheckd from DAEMONS and SDAEMONS definition.

regards,
matthias

--
Matthias Fraidl

Technical Operations
__________________________________________________

nic.at GmbH
Jakob-Haringer-Str. 8/V, 5020 Salzburg, Austria

Tel: +43 662 46 69-718
Fax: +43 662 46 69-19

E-Mail: mailto:matthia...@nic.at
Web: http://www.nic.at

UID-Nr.: ATU 45305101
LG Salzburg / FN 172568b
Sitz / location: Salzburg
DVR-Nr.: 0968935
__________________________________________________

[Ricardo Perre]

Done it, and syscheck does not start. Thank you both for your time.

Needless to say that to disable a feature one must edit code, its not how it was supposed to work.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/P6iMIZC7o9I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Ricardo Perre

[dan (ddp)]

On Apr 9, 2015 6:20 AM, "Ricardo Perre" <rjmp...@gmail.com> wrote:
>
> Thanks for you reply.
> Can you be more specific?
> What should i remove from that script? Should I read the code and figure it out?
>

I'm not looking at the code right now, but i think the daemons are all listed in a DAEMONS variable. Just remove ossec-syscheckd from that variable.

[Ricardo Perre]

Yes, done it and it works.

Thank your for time.

[Ricardo Perre]

Thank you for your time* (not enough cofee yet)

--

Ricardo Perre