In AlienVault USM Appliance, after performing some changes and updates to HIDS through the web UI, agent.conf will not be immediately pushed to the agent, and it may need as much as 3 hours to be correctly synchronized after the update.
The solution for this issue is to
- Restart the HIDS service.
- After it is restarted, restart the HIDS agent two times. The first time will get the configuration, and the second one will activate it.
If the second restart is not performed, then you will need to wait for syscheck to activate the new configuration. For details on syscheck and file integrity monitoring, see File Integrity Monitoring.