Re: [ossec-list] Newby question

[dan (ddp)]

On Aug 22, 2017 12:52 PM, "Leroy Tennison"  wrote:

Hopefully final question about this, I notice the default manager's
agent.conf has a configuration simply for os="linux" (and windows) as well
as one which has no qualifier, I'm assuming those configurations apply to
all systems with that os and all systems respectively.  Correct?
Suggestion, these might be worthwhile Architecture or FAQ additions.


Correct, with the exception of the manager.  It does not utilize the
agent.conf.


On Tuesday, August 22, 2017 at 11:00:04 AM UTC-5, dan (ddpbsd) wrote:

>
>
> On Aug 22, 2017 11:55 AM, "Leroy Tennison"  wrote:
>
> Thank you for your reply, sadly, that's exactly what I've done (doubled
> up).  I'll go fix that.  Correct me if I'm wrong but, from your reply, it
> appears that I need to examine both the manager's agent.conf as well as the
> agent's ossec.conf to determine the "effective" configuration.
>
>
> That is correct. Unfortunately that would be correct in any conceivable
> scenario I can come up with.
> At best you can minimize the ossec.conf and utilize the agent.conf as much
> as possible.
>
>
> On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote:
>>
>>
>>
>> On Aug 21, 2017 4:39 PM, "Leroy Tennison"  wrote:
>>
>> I have added to /var/ossec/etc/shared/agent.conf a profile for a class
>> of machine and updated the agent's ossec.conf with the config-profile in
>> the  block.
>>
>> Do I need to remove the ,  and all 
>> entries on the client or will the manager simply override them?  Is the
>> result "either (the manager configuration)/or (the agent configuration)" or
>> cumulative (both components apply?
>>
>>
>> Cumulative. All options are applied. It is important syscheck entries are
>> not doubled up.
>>
>> Changing the agent.conf to over-riding ossec.conf options is something I
>> am interesred in, but javen't had time for.
>>
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Newby question

[Leroy Tennison]

Hopefully final question about this, I notice the default manager's 
agent.conf has a configuration simply for os="linux" (and windows) as well 
as one which has no qualifier, I'm assuming those configurations apply to 
all systems with that os and all systems respectively.  Correct? 
 Suggestion, these might be worthwhile Architecture or FAQ additions.

On Tuesday, August 22, 2017 at 11:00:04 AM UTC-5, dan (ddpbsd) wrote:
>
>
>
> On Aug 22, 2017 11:55 AM, "Leroy Tennison"  > wrote:
>
> Thank you for your reply, sadly, that's exactly what I've done (doubled 
> up).  I'll go fix that.  Correct me if I'm wrong but, from your reply, it 
> appears that I need to examine both the manager's agent.conf as well as the 
> agent's ossec.conf to determine the "effective" configuration.  
>
>
> That is correct. Unfortunately that would be correct in any conceivable 
> scenario I can come up with. 
> At best you can minimize the ossec.conf and utilize the agent.conf as much 
> as possible.
>
>
> On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote:
>>
>>
>>
>> On Aug 21, 2017 4:39 PM, "Leroy Tennison"  wrote:
>>
>> I have added to /var/ossec/etc/shared/agent.conf a profile for a class 
>> of machine and updated the agent's ossec.conf with the config-profile in 
>> the  block.
>>
>> Do I need to remove the ,  and all  
>> entries on the client or will the manager simply override them?  Is the 
>> result "either (the manager configuration)/or (the agent configuration)" or 
>> cumulative (both components apply?
>>
>>
>> Cumulative. All options are applied. It is important syscheck entries are 
>> not doubled up.
>>
>> Changing the agent.conf to over-riding ossec.conf options is something I 
>> am interesred in, but javen't had time for.
>>
>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com.
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Newby question

[dan (ddp)]

On Aug 22, 2017 11:55 AM, "Leroy Tennison"  wrote:

Thank you for your reply, sadly, that's exactly what I've done (doubled
up).  I'll go fix that.  Correct me if I'm wrong but, from your reply, it
appears that I need to examine both the manager's agent.conf as well as the
agent's ossec.conf to determine the "effective" configuration.


That is correct. Unfortunately that would be correct in any conceivable
scenario I can come up with.
At best you can minimize the ossec.conf and utilize the agent.conf as much
as possible.


On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote:
>
>
>
> On Aug 21, 2017 4:39 PM, "Leroy Tennison"  wrote:
>
> I have added to /var/ossec/etc/shared/agent.conf a profile for a class of
> machine and updated the agent's ossec.conf with the config-profile in the
>  block.
>
> Do I need to remove the ,  and all 
> entries on the client or will the manager simply override them?  Is the
> result "either (the manager configuration)/or (the agent configuration)" or
> cumulative (both components apply?
>
>
> Cumulative. All options are applied. It is important syscheck entries are
> not doubled up.
>
> Changing the agent.conf to over-riding ossec.conf options is something I
> am interesred in, but javen't had time for.
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Newby question

[Leroy Tennison]

Thank you for your reply, sadly, that's exactly what I've done (doubled 
up).  I'll go fix that.  Correct me if I'm wrong but, from your reply, it 
appears that I need to examine both the manager's agent.conf as well as the 
agent's ossec.conf to determine the "effective" configuration.  

On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote:
>
>
>
> On Aug 21, 2017 4:39 PM, "Leroy Tennison"  > wrote:
>
> I have added to /var/ossec/etc/shared/agent.conf a profile for a class of 
> machine and updated the agent's ossec.conf with the config-profile in the 
>  block.
>
> Do I need to remove the ,  and all  
> entries on the client or will the manager simply override them?  Is the 
> result "either (the manager configuration)/or (the agent configuration)" or 
> cumulative (both components apply?
>
>
> Cumulative. All options are applied. It is important syscheck entries are 
> not doubled up.
>
> Changing the agent.conf to over-riding ossec.conf options is something I 
> am interesred in, but javen't had time for.
>
>
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Newby question

[Leroy Tennison]

I have added to /var/ossec/etc/shared/agent.conf a profile for a class of 
machine and updated the agent's ossec.conf with the config-profile in the 
 block.

Do I need to remove the ,  and all  entries 
on the client or will the manager simply override them?  Is the result 
"either (the manager configuration)/or (the agent configuration)" or 
cumulative (both components apply?


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.