Hi Joe,
Thank you for your reply. I am trying to figure out how this works but
what I tried so far does not work.
Just as a background, I have installed ossec2.5.1 locally on all my
windows hosts via the /S switch. By default, this created ossec.conf
in C:\Program Files\ossec-agent. In my environment, I have Solaris
hosts with ossec installed as well. The ossec server is running on a
Solaris machine. I have created agent.conf in /opt/ossec/etc/shared. I
tried to restart the agent on a Windows machine from the server but
agent.conf does not get pushed out. Can you advise where I should
start looking?
Also, I can see from webUI that OSSEC is able to identify the OS on
the agents. So does this mean that if i do <agent_conf os="Windows">
it will automatically apply this to all Windows based machines?
Do I need a separate agent.conf for Solaris based hosts or simply a
separate <agent_config os="Solaris"> in the agent.conf file?
Many thanks in advance for any hints or pointers you can provide.
Here is a sample of my agent.conf
<agent_config os="Windows">
<client>
<server-ip>192.168.1.1</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22
hours -->
<frequency>79200</frequency>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
....
</syscheck>
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<alerts>
<log_alert_level>1</log_alert_level>
</alerts>
<!-- Files to monitor (localfiles) -->
</agent_config>
Regards,
George
On Dec 3, 9:40 pm, Joe Gedeon <[email protected]> wrote:
> George,
>
> It is much easier to do this with a centralized agent configuration.
> Take a look here.
>
> http://www.ossec.net/main/manual/centralized-config/
>
> You can put just about the complete config in etc/shared/agent.conf so
> that it is rolled out to all hosts.
>
> On Fri, Dec 3, 2010 at 01:55, GeorgeY <[email protected]> wrote:
> > Hi all,
>
> > Please excuse my ignorance, we are starting to mass deploy OSSEC on
> > Windows as well as Solaris hosts. If, for example, after a couple of
> > months, we would like to change certain settings in ossec.conf, how
> > can we propagate the changes to all hosts?
>
> > 1. Can we simply copy and paste it over the existing and restart the
> > service?
> > 2. Can we deploy it from the central server out to all connected
> > hosts?
>
> > Thanks in advance.
>
> --
> Registered Linux User # 379282
