[ossec-list] Shared 'agent_config name' Question
Greetings, We are using the RPM version of ossec-hids (version 2.3-2.el5.art) in a server/agent installation environment. Everything is working fine so far, however we now have a need to add another server and I need to specify rules and actions that are specific to that one server. I've done some researching on the shared agent.conf file where you can look at files based on the agent, my question is can you also specify the rules this agent uses and the actions? In other words: agent_config name=some_agent_name rules includerule_file_name1/include includerule_file_name2/include /rules localfile log_formatsyslog/log_format location/var/log/secure/location /localfile active-response commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response /agent_config Barking up the wrong tree? Any answers pro or con are appreciated. Thanks, Steven G. Spencer
Re: [ossec-list] Shared 'agent_config name' Question
I don't know about the active-response section, but the rules section shouldn't need to be modified really. Ossec is pretty resource light, so having rulesets loaded that you don't need shouldn't be too much of a problem. On Fri, May 14, 2010 at 8:25 AM, Steven Spencer sspencerw...@gmail.com wrote: Greetings, We are using the RPM version of ossec-hids (version 2.3-2.el5.art) in a server/agent installation environment. Everything is working fine so far, however we now have a need to add another server and I need to specify rules and actions that are specific to that one server. I've done some researching on the shared agent.conf file where you can look at files based on the agent, my question is can you also specify the rules this agent uses and the actions? In other words: agent_config name=some_agent_name rules includerule_file_name1/include includerule_file_name2/include /rules localfile log_formatsyslog/log_format location/var/log/secure/location /localfile active-response commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response /agent_config Barking up the wrong tree? Any answers pro or con are appreciated. Thanks, Steven G. Spencer
Re: [ossec-list] Shared 'agent_config name' Question
In fact, not having all the rules loaded can cause performance penalty, because non-matching events will end up being checked by all the rule tree. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, May 14, 2010 at 10:27 AM, dan (ddp) ddp...@gmail.com wrote: I don't know about the active-response section, but the rules section shouldn't need to be modified really. Ossec is pretty resource light, so having rulesets loaded that you don't need shouldn't be too much of a problem. On Fri, May 14, 2010 at 8:25 AM, Steven Spencer sspencerw...@gmail.com wrote: Greetings, We are using the RPM version of ossec-hids (version 2.3-2.el5.art) in a server/agent installation environment. Everything is working fine so far, however we now have a need to add another server and I need to specify rules and actions that are specific to that one server. I've done some researching on the shared agent.conf file where you can look at files based on the agent, my question is can you also specify the rules this agent uses and the actions? In other words: agent_config name=some_agent_name rules includerule_file_name1/include includerule_file_name2/include /rules localfile log_formatsyslog/log_format location/var/log/secure/location /localfile active-response commandhost-deny/command locationlocal/location level6/level timeout600/timeout /active-response /agent_config Barking up the wrong tree? Any answers pro or con are appreciated. Thanks, Steven G. Spencer