So now how can we ensure that this <config_profile> is working ? On Friday, June 22, 2018 at 12:03:42 AM UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Jun 21, 2018 at 2:22 PM, Vinay Vanama <vinay....@gmail.com > <javascript:>> wrote: > > Hi Dan, > > > > Is my configuration of both agent and server looks fine ? because when I > > have added <syscheck> section in the agent ossec.conf then only it > started > > monitoring files. So why do we need the agent.conf in OSSEC master ? > > > > I don't like the agent.conf stuff, so I don't use it. > Maybe there needs to be a minimal configuration in the ossec.conf? > I feel like you could setup some of the syscheck stuff in agent.conf, > but again, I don't use it. > > > > > On Thursday, June 21, 2018 at 9:39:09 PM UTC+5:30, dan (ddpbsd) wrote: > >> > >> On Thu, Jun 21, 2018 at 8:32 AM, Vinay Vanama <vinay....@gmail.com> > wrote: > >> > Hi Dan! > >> > > >> > I have achieved this by using profile concept > >> > > >> > what i have done is I have used a <agent_config profile="static"> and > >> > for > >> > dynamic agents I have used <agent_config profile="dynamic"> and then > I > >> > have > >> > restarted agents and agent.conf has been updated in both machines. > But > >> > I'm > >> > confused here in one place, In agent.conf file my settings for static > >> > and > >> > dynamic machines are different. Below are the files. > >> > > >> > <agent_config profile="static"> > >> > <syscheck> > >> > <!-- Frequency that syscheck is executed - default to every 22 > hours > >> > --> > >> > <frequency>60</frequency> > >> > <scan_on_start>yes</scan_on_start> > >> > <skip_nfs>yes</skip_nfs> > >> > > >> > <!-- Directories to check (perform all possible verifications) > --> > >> > <directories > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> > <directories check_all="yes">/bin,/sbin,/boot</directories> > >> > </syscheck> > >> > > >> > <agent_config profile="dynamic"> > >> > <syscheck> > >> > <!-- Frequency that syscheck is executed - default to every 22 > hours > >> > --> > >> > <frequency>60</frequency> > >> > <scan_on_start>yes</scan_on_start> > >> > <skip_nfs>yes</skip_nfs> > >> > > >> > <!-- Directories to check (perform all possible verifications) > --> > >> > <directories > check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > >> > </syscheck> > >> > > >> > </agent_config> > >> > > >> > If you observe the <syscheck> section for both profiles I have > modified > >> > a > >> > bit for test purpose and my ossec.conf file on agents is like below. > >> > > >> > <ossec_config> > >> > <client> > >> > <server-ip>10.1.19.118</server-ip> > >> > <config_profile>static</config_profile> > >> > </client> > >> > > >> > and for dynamic machnies > >> > > >> > <ossec_config> > >> > <client> > >> > <server-ip>10.1.19.118</server-ip> > >> > <config_profile>dynamic</config_profile> > >> > </client> > >> > > >> > And finally I have added a file in /etc directory in both agents and > I > >> > didn't get any alert regarding the file addition. Is my configuration > of > >> > agent.conf and ossec.conf of the agents is correct ? Even though if I > >> > added > >> > settings in agent.conf should I add them in ossec.conf too? > >> > > >> > >> Look in the ossec.log of the agents in question to see if they are > >> monitoring those directories. > >> If so, make sure they do a full scan before and after the file was > added. > >> > >> > Thanks! > >> > > >> > > >> > On Wednesday, June 20, 2018 at 9:09:08 PM UTC+5:30, dan (ddpbsd) > wrote: > >> >> > >> >> On Tue, Jun 19, 2018 at 5:33 AM, Vinay Vanama <vinay....@gmail.com> > >> >> wrote: > >> >> > Hi Team, > >> >> > > >> >> > I have installed OSSEC -Master and OSSEC - Agents (Version - > 2.9.2) > >> >> > on > >> >> > ubuntu machines which are static machines. So far everything is > fine > >> >> > and > >> >> > I'm > >> >> > getting alerts. Now I'm using same setup for dynamic machines and > >> >> > agents > >> >> > are > >> >> > getting added to master without any issue. But my problem is I > have > >> >> > more > >> >> > than 120 machines where 30 are static and 90 are dynamic machines. > So > >> >> > I > >> >> > was > >> >> > thinking can we have a group based agent configuration where all > >> >> > static > >> >> > machines will be under GROUP - 1 and all dynamic machines will be > >> >> > under > >> >> > GROUP-2 so is this possible ? > >> >> > > >> >> > If possible !! can I have a rules also to be applied for specific > >> >> > groups > >> >> > ? > >> >> > > >> >> > >> >> This isn't really possible at the moment. I think using different > OSSEC > >> >> servers > >> >> for different classes of agents is the best solution at the moment. > >> >> > >> >> > Need your help! Thanks > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups > >> >> > "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an > >> >> > email to ossec-list+...@googlegroups.com. > >> >> > For more options, visit https://groups.google.com/d/optout. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
