George,
Here is the shared agent config that I use for on the server for the
windows hosts. The ossec.conf on the agent is just about blank. It
has very minimal. Once I find my windows installer I can then send
you a copy of that. In your example of your shared agent.conf you had
the server set in there. The server must be set on the client. Also
active response must be enabled on the client and not in the shared
configuration. What you see in the shared agent can be removed from
the agents ossec.conf so that it doesn't over lap.
cat etc/shared/agent.conf
<agent_config os="Windows">
<!-- One entry for each file/Event log to monitor. -->
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
<!-- Rootcheck - Policy monitor config -->
<rootcheck>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>72000</frequency>
<!-- By default it is disabled. In the Install you must choose
- to enable it.
-->
<disabled>no</disabled>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories
check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
<directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes">C:\Documents and Settings/All
Users/Start Menu/Programs/Startup</directories>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>
</agent_config>
On Tue, Dec 7, 2010 at 05:53, GeorgeY <[email protected]> wrote:
> Hi Joe,
>
> Thank you for your reply. I am trying to figure out how this works but
> what I tried so far does not work.
> Just as a background, I have installed ossec2.5.1 locally on all my
> windows hosts via the /S switch. By default, this created ossec.conf
> in C:\Program Files\ossec-agent. In my environment, I have Solaris
> hosts with ossec installed as well. The ossec server is running on a
> Solaris machine. I have created agent.conf in /opt/ossec/etc/shared. I
> tried to restart the agent on a Windows machine from the server but
> agent.conf does not get pushed out. Can you advise where I should
> start looking?
>
> Also, I can see from webUI that OSSEC is able to identify the OS on
> the agents. So does this mean that if i do <agent_conf os="Windows">
> it will automatically apply this to all Windows based machines?
>
> Do I need a separate agent.conf for Solaris based hosts or simply a
> separate <agent_config os="Solaris"> in the agent.conf file?
>
> Many thanks in advance for any hints or pointers you can provide.
>
> Here is a sample of my agent.conf
>
> <agent_config os="Windows">
>
> <client>
> <server-ip>192.168.1.1</server-ip>
> </client>
>
> <syscheck>
> <!-- Frequency that syscheck is executed - default to every 22
> hours -->
> <frequency>79200</frequency>
>
> <!-- Default files to be monitored - system32 only. -->
> <directories check_all="yes">%WINDIR%/win.ini</directories>
> ....
> </syscheck>
>
> <rootcheck>
> <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
> <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
> <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
> </rootcheck>
>
> <active-response>
> <disabled>yes</disabled>
> </active-response>
>
>
> <alerts>
> <log_alert_level>1</log_alert_level>
> </alerts>
> <!-- Files to monitor (localfiles) -->
>
> </agent_config>
>
>
>
> Regards,
> George
>
> On Dec 3, 9:40 pm, Joe Gedeon <[email protected]> wrote:
>> George,
>>
>> It is much easier to do this with a centralized agent configuration.
>> Take a look here.
>>
>> http://www.ossec.net/main/manual/centralized-config/
>>
>> You can put just about the complete config in etc/shared/agent.conf so
>> that it is rolled out to all hosts.
>>
>> On Fri, Dec 3, 2010 at 01:55, GeorgeY <[email protected]> wrote:
>> > Hi all,
>>
>> > Please excuse my ignorance, we are starting to mass deploy OSSEC on
>> > Windows as well as Solaris hosts. If, for example, after a couple of
>> > months, we would like to change certain settings in ossec.conf, how
>> > can we propagate the changes to all hosts?
>>
>> > 1. Can we simply copy and paste it over the existing and restart the
>> > service?
>> > 2. Can we deploy it from the central server out to all connected
>> > hosts?
>>
>> > Thanks in advance.
>>
>> --
>> Registered Linux User # 379282
--
Registered Linux User # 379282
