Checking agent.conf - how to?

[InfoSec]

Is there a utility (like ossec-logtest for ossec configuration) to check agent.conf for potential errors before saving to /var/ossec/etc/shared/default?

Agent.conf gets automatically copied to managed agents that restart upon receiving the changed agent.conf (no need to restart or reload the Wazuh server to apply the changes).

No checking seems to be performed on agent.conf. It is only after the changes are received by the agent, and agent service restarted (an unattended operation), that ossec.log on the agent gives any indication of a problem with agent.conf, without giving out any useful diagnostic information about the cause(s) of the problem(s). Not even the first line number that may be the cause of agent.conf being considered "corrupt" by the Wazuh agent.

[Victor Fernandez]

Hi InfoSec,

You should be able to test your shared configuration with this utility:

# /var/ossec/bin/verify-agent-conf

verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
verify-agent-conf: OK

On the other hand, the agent never applies the new settings directly. From OSSEC to Wazuh v2.1 the agent needs to be restarted manually. As of version 3.0, the agent will restart automatically —this option can be disabled— after checking its own configuration.

If the agent finds any error in the shared configuration it will log the issue and won't restart on its own.

This is an error log example:

2018/04/23 21:47:52 ossec-agent: ERROR: (1230): Invalid element in the configuration: 'badconfig'.
2018/04/23 21:47:52 ossec-agent: ERROR: (1202): Configuration error at 'shared/agent.conf'.
2018/04/23 21:47:52 ossec-agent: ERROR: (1207): Syscheck remote configuration in 'shared/agent.conf' is corrupted.

Hope it help.

Best regards,

Victor M Fernandez-Castro 
IT Engineer — Wazuh, Inc.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7fcf5a5d-5f52-40b4-8204-1ad4580d4a9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.