Hi Dan!
I have achieved this by using profile concept
what i have done is I have used a <agent_config profile="static"> and for
dynamic agents I have used <agent_config profile="dynamic"> and then I have
restarted agents and agent.conf has been updated in both machines. But I'm
confused here in one place, In agent.conf file my settings for static and
dynamic machines are different. Below are the files.
<agent_config profile="static">
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>60</frequency>
<scan_on_start>yes</scan_on_start>
<skip_nfs>yes</skip_nfs>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
</syscheck>
<agent_config profile="dynamic">
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>60</frequency>
<scan_on_start>yes</scan_on_start>
<skip_nfs>yes</skip_nfs>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
</syscheck>
</agent_config>
If you observe the <syscheck> section for both profiles I have modified a
bit for test purpose and my ossec.conf file on agents is like below.
<ossec_config>
<client>
<server-ip>10.1.19.118</server-ip>
<config_profile>static</config_profile>
</client>
and for dynamic machnies
<ossec_config>
<client>
<server-ip>10.1.19.118</server-ip>
<config_profile>dynamic</config_profile>
</client>
And finally I have added a file in /etc directory in both agents and I
didn't get any alert regarding the file addition. Is my configuration of
agent.conf and ossec.conf of the agents is correct ? Even though if I added
settings in agent.conf should I add them in ossec.conf too?
Thanks!
On Wednesday, June 20, 2018 at 9:09:08 PM UTC+5:30, dan (ddpbsd) wrote:
>
> On Tue, Jun 19, 2018 at 5:33 AM, Vinay Vanama <vinay....@gmail.com
> <javascript:>> wrote:
> > Hi Team,
> >
> > I have installed OSSEC -Master and OSSEC - Agents (Version - 2.9.2) on
> > ubuntu machines which are static machines. So far everything is fine and
> I'm
> > getting alerts. Now I'm using same setup for dynamic machines and agents
> are
> > getting added to master without any issue. But my problem is I have more
> > than 120 machines where 30 are static and 90 are dynamic machines. So I
> was
> > thinking can we have a group based agent configuration where all static
> > machines will be under GROUP - 1 and all dynamic machines will be under
> > GROUP-2 so is this possible ?
> >
> > If possible !! can I have a rules also to be applied for specific groups
> ?
> >
>
> This isn't really possible at the moment. I think using different OSSEC
> servers
> for different classes of agents is the best solution at the moment.
>
> > Need your help! Thanks
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
