Re: [ossec-list] OSSEC alerts on syslog

[ehollis3942]

Hi All,

So I am currently still troubleshooting, but noticed that the syslog-ng 
process was listening on 514 TCP, but also had an entry for 514 UDP, which 
is the protocol I've set within my ossec.conf. Could this be part of the 
issue? My guess is that I only want 514 udp listening.

On Thursday, March 16, 2017 at 3:30:46 PM UTC-4, dan (ddpbsd) wrote:
>
> On Thu, Mar 16, 2017 at 11:33 AM,   
> wrote: 
> > Here is the output: 
> > 
> > udp0  0 0.0.0.0:514 0.0.0.0:* 
> > 21090/syslog-ng 
> > 
>
> So syslog-ng is listening for incoming messages. 
> You'll have to figure out what syslog-ng is doing with the log messages. 
>
> > This is the only instance... 
> > 
> > 
> > On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote: 
> >> 
> >> On Tue, Mar 14, 2017 at 3:37 PM,   wrote: 
> >> > Hello, yes: 
> >> > 
> >> > root@xx:/var/log# netstat -tuna | grep 514 
> >> > tcp0  0 0.0.0.0:514 0.0.0.0:* 
> >> > udp0  0 0.0.0.0:514 0.0.0.0:* 
> >> > 
> >> > 
> >> 
> >> Adding -p to that could tell you the process using that port. 
> >> `netstat -ptuna | grep 514` 
> >> 
> >> Is this securityonion? They may have syslog-ng already listening to the 
> >> network. 
> >> 
> >> >
> >> > syslog 
> >> >   161.182.xxx.xxx 
> >> >   161.182.xxx.xxx 
> >> >
> >> > 
> >> > 
> >> > 
> >> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: 
> >> >> 
> >> >> Hi, can you verify if the port it’s open? 
> >> >> 
> >> >> [root@wazuh-manager /]# netstat -tuna | grep 514 
> >> >> udp0  0 0.0.0.0:514 0.0.0.0:* 
> >> >> 
> >> >> The symantec ip is allowed in ossec.conf right? 
> >> >> 
> >> >> 
> >> >> 
> >> >> Regards 
> >> >> --- 
> >> >> Jose Luis Ruiz 
> >> >> Wazuh Inc. 
> >> >> jo...@wazuh.com 
> >> >> 
> >> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com 
> >> >> (eholl...@gmail.com) 
> >> >> wrote: 
> >> >> 
> >> >> It's very strange...I have enabled already enabled syslog over 514 
> from 
> >> >> our symantec server to the OSSEC server, and I see the logs coming 
> into 
> >> >> our 
> >> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and 
> >> >> OSSEC 
> >> >> alerts files and do not see the log anywhere on the server... Where 
> >> >> should 
> >> >> these logs be written when being sent to the server? I've checked 
> all 
> >> >> gzipped files in /var/log/ as well as all files in 
> >> >> /var/ossec/logs/archive/ 
> >> >> and /var/ossec/logs/alerts/ 
> >> >> 
> >> 
> >> `/var/ossec/logs/archives/archives.log` only contains entries if you 
> >> enable the logall option in the ossec.conf. 
> >> I'm not sure if it records messages sent to the syslog remoted stuff. 
> >> I just haven't tested it. 
> >> 
> >> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: 
> >> >>> 
> >> >>> Hello, 
> >> >>> 
> >> >>> In order to permit Ossec recibe your Symantec syslogs messages, you 
> >> >>> need 
> >> >>> to enable this in the configuration: 
> >> >>> 
> >> >>> Listen in port 514: 
> >> >>> 
> >> >>>  
> >> >>>
> >> >>> syslog 
> >> >>>   Symantec AV ip 
> >> >>>
> >> >>>  
> >> >>> 
> >> >>> then you need to restart ossec: 
> >> >>> 
> >> >>> /var/ossec/bin/ossec-control restart 
> >> >>> 
> >> >>> If after these changes you are still not receiving alerts, enable 
> >> >>> logall 
> >> >>> in ossec.conf  yes  and take a look in the file 
> >> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this 
> file, 
> >> >>> but 
> >> >>> not in your alerts, probably the decoders or rules have something 
> >> >>> wrong. 
> >> >>> 
> >> >>> 
> >> >>> 
> >> >>> Regards 
> >> >>> --- 
> >> >>> Jose Luis Ruiz 
> >> >>> Wazuh Inc. 
> >> >>> jo...@wazuh.com 
> >> >>> 
> >> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com 
> >> >>> (eholl...@gmail.com) 
> >> >>> wrote: 
> >> >>> 
> >> >>> Hello All, 
> >> >>> 
> >> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog 
> over 
> >> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC 
> >> >>> alerts. I 
> >> >>> have created a custom decoder and parser, and can confirm that it 
> is 
> >> >>> working: 
> >> >>> 
> >> >>> **Phase 2: Completed decoding. 
> >> >>>decoder: 'Symantec' 
> >> >>> 
> >> >>> **Phase 3: Completed filtering (rules). 
> >> >>>Rule id: '16' 
> >> >>>Level: '7' 
> >> >>>Description: 'Symantec: virus found' 
> >> >>> **Alert to be generated. 
> >> >>> 
> >> >>> Do I need to point OSSEC to monitor the incoming syslog so that it 
> can 
> >> >>> alert on it? Again, I am seeing the straight syslog coming into 
> ELSA, 
> >> >>> but no 
> >> >>> OSSEC alert appears to be generated. 
> >> >>> 
> >> >>> Thanks 
> >> >>> -- 
> >> >>> 
> >> >>> --- 
> >> >>> You received this message because you are subscribed to the Google 
> 

Re: [ossec-list] OSSEC alerts on syslog

[ehollis3942]

Here is the output:

udp0  0 0.0.0.0:514 0.0.0.0:*   
21090/syslog-ng

This is the only instance...


On Wednesday, March 15, 2017 at 2:41:58 PM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Mar 14, 2017 at 3:37 PM,   
> wrote: 
> > Hello, yes: 
> > 
> > root@xx:/var/log# netstat -tuna | grep 514 
> > tcp0  0 0.0.0.0:514 0.0.0.0:* 
> > udp0  0 0.0.0.0:514 0.0.0.0:* 
> > 
> > 
>
> Adding -p to that could tell you the process using that port. 
> `netstat -ptuna | grep 514` 
>
> Is this securityonion? They may have syslog-ng already listening to the 
> network. 
>
> >
> > syslog 
> >   161.182.xxx.xxx 
> >   161.182.xxx.xxx 
> >
> > 
> > 
> > 
> > On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote: 
> >> 
> >> Hi, can you verify if the port it’s open? 
> >> 
> >> [root@wazuh-manager /]# netstat -tuna | grep 514 
> >> udp0  0 0.0.0.0:514 0.0.0.0:* 
> >> 
> >> The symantec ip is allowed in ossec.conf right? 
> >> 
> >> 
> >> 
> >> Regards 
> >> --- 
> >> Jose Luis Ruiz 
> >> Wazuh Inc. 
> >> jo...@wazuh.com 
> >> 
> >> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com (
> eholl...@gmail.com) 
> >> wrote: 
> >> 
> >> It's very strange...I have enabled already enabled syslog over 514 from 
> >> our symantec server to the OSSEC server, and I see the logs coming into 
> our 
> >> ELSA instance, but I have grep'd our syslog files, OSSEC archive and 
> OSSEC 
> >> alerts files and do not see the log anywhere on the server... Where 
> should 
> >> these logs be written when being sent to the server? I've checked all 
> >> gzipped files in /var/log/ as well as all files in 
> /var/ossec/logs/archive/ 
> >> and /var/ossec/logs/alerts/ 
> >> 
>
> `/var/ossec/logs/archives/archives.log` only contains entries if you 
> enable the logall option in the ossec.conf. 
> I'm not sure if it records messages sent to the syslog remoted stuff. 
> I just haven't tested it. 
>
> >> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: 
> >>> 
> >>> Hello, 
> >>> 
> >>> In order to permit Ossec recibe your Symantec syslogs messages, you 
> need 
> >>> to enable this in the configuration: 
> >>> 
> >>> Listen in port 514: 
> >>> 
> >>>  
> >>>
> >>> syslog 
> >>>   Symantec AV ip 
> >>>
> >>>  
> >>> 
> >>> then you need to restart ossec: 
> >>> 
> >>> /var/ossec/bin/ossec-control restart 
> >>> 
> >>> If after these changes you are still not receiving alerts, enable 
> logall 
> >>> in ossec.conf  yes  and take a look in the file 
> >>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, 
> but 
> >>> not in your alerts, probably the decoders or rules have something 
> wrong. 
> >>> 
> >>> 
> >>> 
> >>> Regards 
> >>> --- 
> >>> Jose Luis Ruiz 
> >>> Wazuh Inc. 
> >>> jo...@wazuh.com 
> >>> 
> >>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (
> eholl...@gmail.com) 
> >>> wrote: 
> >>> 
> >>> Hello All, 
> >>> 
> >>> I have pointed my Symantec AV logs to our OSSEC server via syslog over 
> >>> port 514. I am seeing the logs come into ELSA, but not as OSSEC 
> alerts. I 
> >>> have created a custom decoder and parser, and can confirm that it is 
> >>> working: 
> >>> 
> >>> **Phase 2: Completed decoding. 
> >>>decoder: 'Symantec' 
> >>> 
> >>> **Phase 3: Completed filtering (rules). 
> >>>Rule id: '16' 
> >>>Level: '7' 
> >>>Description: 'Symantec: virus found' 
> >>> **Alert to be generated. 
> >>> 
> >>> Do I need to point OSSEC to monitor the incoming syslog so that it can 
> >>> alert on it? Again, I am seeing the straight syslog coming into ELSA, 
> but no 
> >>> OSSEC alert appears to be generated. 
> >>> 
> >>> Thanks 
> >>> -- 
> >>> 
> >>> --- 
> >>> You received this message because you are subscribed to the Google 
> Groups 
> >>> "ossec-list" group. 
> >>> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >>> email to ossec-list+...@googlegroups.com. 
> >>> For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

[ehollis3942]

Hello, yes:

root@xx:/var/log# netstat -tuna | grep 514
tcp0  0 0.0.0.0:514 0.0.0.0:* 
udp0  0 0.0.0.0:514 0.0.0.0:*


  
syslog
  161.182.xxx.xxx
  161.182.xxx.xxx
  



On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>
> Hi, can you verify if the port it’s open?
>
> [root@wazuh-manager /]# netstat -tuna | grep 514
> udp0  0 0.0.0.0:514 0.0.0.0:*
>
> The symantec ip is allowed in ossec.conf right?
>
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com 
>
> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com  (
> eholl...@gmail.com ) wrote:
>
> It's very strange...I have enabled already enabled syslog over 514 from 
> our symantec server to the OSSEC server, and I see the logs coming into our 
> ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC 
> alerts files and do not see the log anywhere on the server... Where should 
> these logs be written when being sent to the server? I've checked all 
> gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ 
> and /var/ossec/logs/alerts/
>
> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote: 
>>
>> Hello,
>>
>> In order to permit Ossec recibe your Symantec syslogs messages, you need 
>> to enable this in the configuration:
>>
>> Listen in port 514:
>>
>> 
>>   
>> syslog
>>   Symantec AV ip
>>   
>> 
>>
>> then you need to restart ossec:
>>
>> /var/ossec/bin/ossec-control restart
>>
>> If after these changes you are still not receiving alerts, enable logall 
>> in ossec.conf  yes  and take a look in the file 
>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but 
>> not in your alerts, probably the decoders or rules have something wrong.
>>
>>
>> Regards
>> ---
>> Jose Luis Ruiz
>> Wazuh Inc.
>> jo...@wazuh.com
>>
>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com) 
>> wrote:
>>
>> Hello All, 
>>
>> I have pointed my Symantec AV logs to our OSSEC server via syslog over 
>> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I 
>> have created a custom decoder and parser, and can confirm that it is 
>> working:
>>
>> **Phase 2: Completed decoding.
>>decoder: 'Symantec'
>>
>> **Phase 3: Completed filtering (rules).
>>Rule id: '16'
>>Level: '7'
>>Description: 'Symantec: virus found'
>> **Alert to be generated.
>>
>> Do I need to point OSSEC to monitor the incoming syslog so that it can 
>> alert on it? Again, I am seeing the straight syslog coming into ELSA, but 
>> no OSSEC alert appears to be generated.
>>
>> Thanks
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC alerts on syslog

[ehollis3942]

It's very strange...I have enabled already enabled syslog over 514 from our 
symantec server to the OSSEC server, and I see the logs coming into our 
ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC 
alerts files and do not see the log anywhere on the server... Where should 
these logs be written when being sent to the server? I've checked all 
gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/ 
and /var/ossec/logs/alerts/

On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote:
>
> Hello,
>
> In order to permit Ossec recibe your Symantec syslogs messages, you need 
> to enable this in the configuration:
>
> Listen in port 514:
>
> 
>   
> syslog
>   Symantec AV ip
>   
> 
>
> then you need to restart ossec:
>
> /var/ossec/bin/ossec-control restart
>
> If after these changes you are still not receiving alerts, enable logall 
> in ossec.conf  yes  and take a look in the file 
> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but 
> not in your alerts, probably the decoders or rules have something wrong.
>
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com 
>
> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com  (
> eholl...@gmail.com ) wrote:
>
> Hello All, 
>
> I have pointed my Symantec AV logs to our OSSEC server via syslog over 
> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I 
> have created a custom decoder and parser, and can confirm that it is 
> working:
>
> **Phase 2: Completed decoding.
>decoder: 'Symantec'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '16'
>Level: '7'
>Description: 'Symantec: virus found'
> **Alert to be generated.
>
> Do I need to point OSSEC to monitor the incoming syslog so that it can 
> alert on it? Again, I am seeing the straight syslog coming into ELSA, but 
> no OSSEC alert appears to be generated.
>
> Thanks
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC alerts on syslog

[ehollis3942]

Hello All,

I have pointed my Symantec AV logs to our OSSEC server via syslog over port 
514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I have 
created a custom decoder and parser, and can confirm that it is working:

**Phase 2: Completed decoding.
   decoder: 'Symantec'

**Phase 3: Completed filtering (rules).
   Rule id: '16'
   Level: '7'
   Description: 'Symantec: virus found'
**Alert to be generated.

Do I need to point OSSEC to monitor the incoming syslog so that it can 
alert on it? Again, I am seeing the straight syslog coming into ELSA, but 
no OSSEC alert appears to be generated.

Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Central ossec.conf management question

[ehollis3942]

Our OSSEC server is running the newest version of Security Onion which has 
it built in

On Wednesday, February 1, 2017 at 1:15:16 PM UTC-5, dan (ddpbsd) wrote:
>
> On Wed, Feb 1, 2017 at 1:12 PM,   
> wrote: 
> > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having 
> > content back to being blank a number of times here without having any 
> > interaction on the server. Has anyone else experienced this? 
> > 
>
> Did you install OSSEC from source, or from a package? 
>
> > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: 
> >> 
> >> On Wed, Feb 1, 2017 at 12:25 PM,   wrote: 
> >> > Hello All, 
> >> > 
> >> > I am currently working on a central ossec.conf file which contains 
> our 
> >> > Windows and Linux configurations for all clients. Here are a few 
> >> > background 
> >> > details: 
> >> > 
> >> > 1. We currently only have a few Linux deployments and roughly 6 
> Windows 
> >> > deployments as a POC 
> >> > 2. All clients have a custom config, specific to Windows or Linux 
> >> > 
> >> > Now, I'd like to manage clients going forward with a central config 
> file 
> >> > using agent.conf within /var/ossec/etc/shared. I've followed these 
> >> > steps: 
> >> > 
> >> > 1.Created an agent.conf file, and ran verify-agent-conf without any 
> >> > issues. 
> >> > 2. Ran MD5SUM against the agent.conf and noted hash 
> >> > 3. Ran agent-control -R  against a few clients 
> >> > 4. Ran agent-control -i  and verified that the MD5 changed to 
> match 
> >> > the 
> >> > agent.conf hash 
> >> > 5. I review the agent.conf file on a Windows client that had updated 
> and 
> >> > it 
> >> > is blank 
> >> > 6. I review the merged.mg file on the same client and I do see 
> within 
> >> > the 
> >> > file that the custom agent.conf from the server is present 
> >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that 
> it 
> >> > is 
> >> > completely blank with a different MD5 
> >> > 
> >> > Can anyone explain why the agent.conf on the server would have the 
> >> > content 
> >> > removed? My guess is that if the client doesn't have this info in the 
> >> > agent.conf that it is only reading their local ossec.conf file? 
> >> > 
> >> > As a side note, do I need to re-deploy a new ossec.conf to clients 
> out 
> >> > there 
> >> > with only the server IP configuration or will OSSEC merge the config 
> >> > with 
> >> > the agent.conf on the server? 
> >> > 
> >> 
> >> There shouldn't be anything in ossec that will blank the agent.conf on 
> >> the server. 
> >> If there is no agent.conf, the agent will use the ossec.conf. 
> >> The running configuration merges the ossec.conf and agent.conf. 
> >> 
> >> > Thanks all for the help! 
> >> > 
> >> > Eric 
> >> > 
> >> > -- 
> >> > 
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> >> > Groups 
> >> > "ossec-list" group. 
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send 
> >> > an 
> >> > email to ossec-list+...@googlegroups.com. 
> >> > For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Central ossec.conf management question

[ehollis3942]

Just a note, I have had /var/ossec/etc/shared/agent.conf go from having 
content back to being blank a number of times here without having any 
interaction on the server. Has anyone else experienced this?

On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote:
>
> On Wed, Feb 1, 2017 at 12:25 PM,   
> wrote: 
> > Hello All, 
> > 
> > I am currently working on a central ossec.conf file which contains our 
> > Windows and Linux configurations for all clients. Here are a few 
> background 
> > details: 
> > 
> > 1. We currently only have a few Linux deployments and roughly 6 Windows 
> > deployments as a POC 
> > 2. All clients have a custom config, specific to Windows or Linux 
> > 
> > Now, I'd like to manage clients going forward with a central config file 
> > using agent.conf within /var/ossec/etc/shared. I've followed these 
> steps: 
> > 
> > 1.Created an agent.conf file, and ran verify-agent-conf without any 
> issues. 
> > 2. Ran MD5SUM against the agent.conf and noted hash 
> > 3. Ran agent-control -R  against a few clients 
> > 4. Ran agent-control -i  and verified that the MD5 changed to match 
> the 
> > agent.conf hash 
> > 5. I review the agent.conf file on a Windows client that had updated and 
> it 
> > is blank 
> > 6. I review the merged.mg file on the same client and I do see within 
> the 
> > file that the custom agent.conf from the server is present 
> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it 
> is 
> > completely blank with a different MD5 
> > 
> > Can anyone explain why the agent.conf on the server would have the 
> content 
> > removed? My guess is that if the client doesn't have this info in the 
> > agent.conf that it is only reading their local ossec.conf file? 
> > 
> > As a side note, do I need to re-deploy a new ossec.conf to clients out 
> there 
> > with only the server IP configuration or will OSSEC merge the config 
> with 
> > the agent.conf on the server? 
> > 
>
> There shouldn't be anything in ossec that will blank the agent.conf on 
> the server. 
> If there is no agent.conf, the agent will use the ossec.conf. 
> The running configuration merges the ossec.conf and agent.conf. 
>
> > Thanks all for the help! 
> > 
> > Eric 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Central ossec.conf management question

[ehollis3942]

Hello All,

I am currently working on a central ossec.conf file which contains our 
Windows and Linux configurations for all clients. Here are a few background 
details:

1. We currently only have a few Linux deployments and roughly 6 Windows 
deployments as a POC
2. All clients have a custom config, specific to Windows or Linux

Now, I'd like to manage clients going forward with a central config file 
using agent.conf within /var/ossec/etc/shared. I've followed these steps:

1.Created an agent.conf file, and ran verify-agent-conf without any issues. 
2. Ran MD5SUM against the agent.conf and noted hash
3. Ran agent-control -R  against a few clients
4. Ran agent-control -i  and verified that the MD5 changed to match the 
agent.conf hash
5. I review the agent.conf file on a Windows client that had updated and it 
is blank
6. I review the merged.mg file on the same client and I do see within the 
file that the custom agent.conf from the server is present 
7. I go back to the /var/ossec/etc/shared/agent.conf and now see that it is 
completely blank with a different MD5

Can anyone explain why the agent.conf on the server would have the content 
removed? My guess is that if the client doesn't have this info in the 
agent.conf that it is only reading their local ossec.conf file?

As a side note, do I need to re-deploy a new ossec.conf to clients out 
there with only the server IP configuration or will OSSEC merge the config 
with the agent.conf on the server?

Thanks all for the help!

Eric 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.