Re: [ossec-list] Newby question
On Aug 22, 2017 12:52 PM, "Leroy Tennison"wrote: Hopefully final question about this, I notice the default manager's agent.conf has a configuration simply for os="linux" (and windows) as well as one which has no qualifier, I'm assuming those configurations apply to all systems with that os and all systems respectively. Correct? Suggestion, these might be worthwhile Architecture or FAQ additions. Correct, with the exception of the manager. It does not utilize the agent.conf. On Tuesday, August 22, 2017 at 11:00:04 AM UTC-5, dan (ddpbsd) wrote: > > > On Aug 22, 2017 11:55 AM, "Leroy Tennison" wrote: > > Thank you for your reply, sadly, that's exactly what I've done (doubled > up). I'll go fix that. Correct me if I'm wrong but, from your reply, it > appears that I need to examine both the manager's agent.conf as well as the > agent's ossec.conf to determine the "effective" configuration. > > > That is correct. Unfortunately that would be correct in any conceivable > scenario I can come up with. > At best you can minimize the ossec.conf and utilize the agent.conf as much > as possible. > > > On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Aug 21, 2017 4:39 PM, "Leroy Tennison" wrote: >> >> I have added to /var/ossec/etc/shared/agent.conf a profile for a class >> of machine and updated the agent's ossec.conf with the config-profile in >> the block. >> >> Do I need to remove the , and all >> entries on the client or will the manager simply override them? Is the >> result "either (the manager configuration)/or (the agent configuration)" or >> cumulative (both components apply? >> >> >> Cumulative. All options are applied. It is important syscheck entries are >> not doubled up. >> >> Changing the agent.conf to over-riding ossec.conf options is something I >> am interesred in, but javen't had time for. >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Newby question
Hopefully final question about this, I notice the default manager's agent.conf has a configuration simply for os="linux" (and windows) as well as one which has no qualifier, I'm assuming those configurations apply to all systems with that os and all systems respectively. Correct? Suggestion, these might be worthwhile Architecture or FAQ additions. On Tuesday, August 22, 2017 at 11:00:04 AM UTC-5, dan (ddpbsd) wrote: > > > > On Aug 22, 2017 11:55 AM, "Leroy Tennison"> wrote: > > Thank you for your reply, sadly, that's exactly what I've done (doubled > up). I'll go fix that. Correct me if I'm wrong but, from your reply, it > appears that I need to examine both the manager's agent.conf as well as the > agent's ossec.conf to determine the "effective" configuration. > > > That is correct. Unfortunately that would be correct in any conceivable > scenario I can come up with. > At best you can minimize the ossec.conf and utilize the agent.conf as much > as possible. > > > On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Aug 21, 2017 4:39 PM, "Leroy Tennison" wrote: >> >> I have added to /var/ossec/etc/shared/agent.conf a profile for a class >> of machine and updated the agent's ossec.conf with the config-profile in >> the block. >> >> Do I need to remove the , and all >> entries on the client or will the manager simply override them? Is the >> result "either (the manager configuration)/or (the agent configuration)" or >> cumulative (both components apply? >> >> >> Cumulative. All options are applied. It is important syscheck entries are >> not doubled up. >> >> Changing the agent.conf to over-riding ossec.conf options is something I >> am interesred in, but javen't had time for. >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Newby question
On Aug 22, 2017 11:55 AM, "Leroy Tennison"wrote: Thank you for your reply, sadly, that's exactly what I've done (doubled up). I'll go fix that. Correct me if I'm wrong but, from your reply, it appears that I need to examine both the manager's agent.conf as well as the agent's ossec.conf to determine the "effective" configuration. That is correct. Unfortunately that would be correct in any conceivable scenario I can come up with. At best you can minimize the ossec.conf and utilize the agent.conf as much as possible. On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote: > > > > On Aug 21, 2017 4:39 PM, "Leroy Tennison" wrote: > > I have added to /var/ossec/etc/shared/agent.conf a profile for a class of > machine and updated the agent's ossec.conf with the config-profile in the > block. > > Do I need to remove the , and all > entries on the client or will the manager simply override them? Is the > result "either (the manager configuration)/or (the agent configuration)" or > cumulative (both components apply? > > > Cumulative. All options are applied. It is important syscheck entries are > not doubled up. > > Changing the agent.conf to over-riding ossec.conf options is something I > am interesred in, but javen't had time for. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Newby question
Thank you for your reply, sadly, that's exactly what I've done (doubled up). I'll go fix that. Correct me if I'm wrong but, from your reply, it appears that I need to examine both the manager's agent.conf as well as the agent's ossec.conf to determine the "effective" configuration. On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote: > > > > On Aug 21, 2017 4:39 PM, "Leroy Tennison"> wrote: > > I have added to /var/ossec/etc/shared/agent.conf a profile for a class of > machine and updated the agent's ossec.conf with the config-profile in the > block. > > Do I need to remove the , and all > entries on the client or will the manager simply override them? Is the > result "either (the manager configuration)/or (the agent configuration)" or > cumulative (both components apply? > > > Cumulative. All options are applied. It is important syscheck entries are > not doubled up. > > Changing the agent.conf to over-riding ossec.conf options is something I > am interesred in, but javen't had time for. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Newby question
I have added to /var/ossec/etc/shared/agent.conf a profile for a class of machine and updated the agent's ossec.conf with the config-profile in the block. Do I need to remove the , and all entries on the client or will the manager simply override them? Is the result "either (the manager configuration)/or (the agent configuration)" or cumulative (both components apply? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.