On Thu, Jun 21, 2018 at 8:32 AM, Vinay Vanama <vinay.vana...@gmail.com> wrote: > Hi Dan! > > I have achieved this by using profile concept > > what i have done is I have used a <agent_config profile="static"> and for > dynamic agents I have used <agent_config profile="dynamic"> and then I have > restarted agents and agent.conf has been updated in both machines. But I'm > confused here in one place, In agent.conf file my settings for static and > dynamic machines are different. Below are the files. > > <agent_config profile="static"> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>60</frequency> > <scan_on_start>yes</scan_on_start> > <skip_nfs>yes</skip_nfs> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin,/boot</directories> > </syscheck> > > <agent_config profile="dynamic"> > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>60</frequency> > <scan_on_start>yes</scan_on_start> > <skip_nfs>yes</skip_nfs> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > </syscheck> > > </agent_config> > > If you observe the <syscheck> section for both profiles I have modified a > bit for test purpose and my ossec.conf file on agents is like below. > > <ossec_config> > <client> > <server-ip>10.1.19.118</server-ip> > <config_profile>static</config_profile> > </client> > > and for dynamic machnies > > <ossec_config> > <client> > <server-ip>10.1.19.118</server-ip> > <config_profile>dynamic</config_profile> > </client> > > And finally I have added a file in /etc directory in both agents and I > didn't get any alert regarding the file addition. Is my configuration of > agent.conf and ossec.conf of the agents is correct ? Even though if I added > settings in agent.conf should I add them in ossec.conf too? >
Look in the ossec.log of the agents in question to see if they are monitoring those directories. If so, make sure they do a full scan before and after the file was added. > Thanks! > > > On Wednesday, June 20, 2018 at 9:09:08 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Tue, Jun 19, 2018 at 5:33 AM, Vinay Vanama <vinay....@gmail.com> wrote: >> > Hi Team, >> > >> > I have installed OSSEC -Master and OSSEC - Agents (Version - 2.9.2) on >> > ubuntu machines which are static machines. So far everything is fine and >> > I'm >> > getting alerts. Now I'm using same setup for dynamic machines and agents >> > are >> > getting added to master without any issue. But my problem is I have more >> > than 120 machines where 30 are static and 90 are dynamic machines. So I >> > was >> > thinking can we have a group based agent configuration where all static >> > machines will be under GROUP - 1 and all dynamic machines will be under >> > GROUP-2 so is this possible ? >> > >> > If possible !! can I have a rules also to be applied for specific groups >> > ? >> > >> >> This isn't really possible at the moment. I think using different OSSEC >> servers >> for different classes of agents is the best solution at the moment. >> >> > Need your help! Thanks >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.