How to restart an agent after changes to the agent.conf:

OSSEC agents require a restart after the agent.conf has been updated. Active response can do this automatically when it notices the file has changed.


  • Active response must be enabled.

  • This only works for *nix based systems


The idea behind this is to have active response restart the OSSEC processes when the agent.conf file changes. A rule must be created to notice the change to that specific file, and an active response setup to react to that rule.


<rule id="710001" level="1">
  <description>agent.conf was modified</description>

active response configuration: