OSSEC agents require a restart after the agent.conf has been updated. Active response can do this automatically when it notices the file has changed.
Active response must be enabled.
This only works for *nix based systems
The idea behind this is to have active response restart the OSSEC processes when the agent.conf file changes. A rule must be created to notice the change to that specific file, and an active response setup to react to that rule.
<rule id="710001" level="1"> <if_group>syscheck</if_group> <match>/var/ossec/etc/shared/agent.conf</match> <description>agent.conf was modified</description> </rule>
<command> <name>restart-ossec</name> <executable>restart-ossec.sh</executable> <expect></expect> </command> <active-response> <command>restart-ossec</command> <location>local</location> <rules_id>710001</rules_id> </active-response>