Hi Joe,
Thanks again for your response. Once I add an agent.conf to /shared,
will I actually see this file on the client itself? I guess what I am
trying to find out is if this file will actually be sent/pushed out to
all "Windows" clients and a copy will be saved locally in their c:
\Program Files\ossec-agent\shared? If the answer is Yes, I am not
seeing this in my set up.
Also, whether or not the answer is Yes or No, that would mean I would
need to MANUALLY clear the ossec.conf duplicated settings for all
these hosts as well correct - since the default ossec.conf already
contains the settings I want to put in agent.conf? Unless there is
another trick i can use here :)
What i currently have on the client ossec.conf is simply
<ossec_config>
<active-response>
<disabled>yes</disabled>
</active-response>
<client>
<server-ip>192.168.1.1</server-ip>
</client>
</ossec_config>
and agent.conf is as per my previous post without the <client></
client> and <active-response></active-response> sections.
On Dec 7, 10:46 pm, Joe Gedeon <[email protected]> wrote:
> George,
>
> Here is the shared agent config that I use for on the server for the
> windows hosts. The ossec.conf on the agent is just about blank. It
> has very minimal. Once I find my windows installer I can then send
> you a copy of that. In your example of your shared agent.conf you had
> the server set in there. The server must be set on the client. Also
> active response must be enabled on the client and not in the shared
> configuration. What you see in the shared agent can be removed from
> the agents ossec.conf so that it doesn't over lap.
>
> cat etc/shared/agent.conf
> <agent_config os="Windows">
>
> <!-- One entry for each file/Event log to monitor. -->
> <localfile>
> <location>Application</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <localfile>
> <location>Security</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <localfile>
> <location>System</location>
> <log_format>eventlog</log_format>
> </localfile>
>
> <!-- Rootcheck - Policy monitor config -->
> <rootcheck>
> <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
> <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
> <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
> </rootcheck>
>
> <!-- Syscheck - Integrity Checking config. -->
> <syscheck>
>
> <!-- Default frequency, every 20 hours. It doesn't need to be higher
> - on most systems and one a day should be enough.
> -->
> <frequency>72000</frequency>
>
> <!-- By default it is disabled. In the Install you must choose
> - to enable it.
> -->
> <disabled>no</disabled>
>
> <!-- Default files to be monitored - system32 only. -->
> <directories check_all="yes">%WINDIR%/win.ini</directories>
> <directories check_all="yes">%WINDIR%/system.ini</directories>
> <directories check_all="yes">C:\autoexec.bat</directories>
> <directories check_all="yes">C:\config.sys</directories>
> <directories check_all="yes">C:\boot.ini</directories>
> <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
> <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
> <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
> <directories
> check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
> <directories
> check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
> <directories check_all="yes">%WINDIR%/regedit.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
> <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
> <directories check_all="yes">C:\Documents and Settings/All
> Users/Start Menu/Programs/Startup</directories>
> <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
>
> <!-- Windows registry entries to monitor. -->
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
> <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
> Explorer</windows_registry>
>
>
> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
> Manager\KnownDLLs</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> NT\CurrentVersion\Windows</windows_registry>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon</windows_registry>
>
> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active
> Setup\Installed Components</windows_registry>
>
> <!-- Windows registry entries to ignore. -->
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
>
> <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
> <registry_ignore type="sregex">\Enum$</registry_ignore>
> </syscheck>
> </agent_config>
>
>
>
> On Tue, Dec 7, 2010 at 05:53, GeorgeY <[email protected]> wrote:
> > Hi Joe,
>
> > Thank you for your reply. I am trying to figure out how this works but
> > what I tried so far does not work.
> > Just as a background, I have installed ossec2.5.1 locally on all my
> > windows hosts via the /S switch. By default, this created ossec.conf
> > in C:\Program Files\ossec-agent. In my environment, I have Solaris
> > hosts with ossec installed as well. The ossec server is running on a
> > Solaris machine. I have created agent.conf in /opt/ossec/etc/shared. I
> > tried to restart the agent on a Windows machine from the server but
> > agent.conf does not get pushed out. Can you advise where I should
> > start looking?
>
> > Also, I can see from webUI that OSSEC is able to identify the OS on
> > the agents. So does this mean that if i do <agent_conf os="Windows">
> > it will automatically apply this to all Windows based machines?
>
> > Do I need a separate agent.conf for Solaris based hosts or simply a
> > separate <agent_config os="Solaris"> in the agent.conf file?
>
> > Many thanks in advance for any hints or pointers you can provide.
>
> > Here is a sample of my agent.conf
>
> > <agent_config os="Windows">
>
> > <client>
> > <server-ip>192.168.1.1</server-ip>
> > </client>
>
> > <syscheck>
> > <!-- Frequency that syscheck is executed - default to every 22
> > hours -->
> > <frequency>79200</frequency>
>
> > <!-- Default files to be monitored - system32 only. -->
> > <directories check_all="yes">%WINDIR%/win.ini</directories>
> > ....
> > </syscheck>
>
> > <rootcheck>
> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
> > </rootcheck>
>
> > <active-response>
> > <disabled>yes</disabled>
> > </active-response>
>
> > <alerts>
> > <log_alert_level>1</log_alert_level>
> > </alerts>
> > <!-- Files to monitor (localfiles) -->
>
> > </agent_config>
>
> > Regards,
> > George
>
> > On Dec 3, 9:40 pm, Joe Gedeon <[email protected]> wrote:
> >> George,
>
> >> It is much easier to do this with a centralized agent configuration.
> >> Take a look here.
>
> >>http://www.ossec.net/main/manual/centralized-config/
>
> >> You can put just about the complete config in etc/shared/agent.conf so
> >> that it is rolled out to all hosts.
>
> >> On Fri, Dec 3, 2010 at 01:55, GeorgeY <[email protected]> wrote:
> >> > Hi all,
>
> >> > Please excuse my ignorance, we are starting to mass deploy OSSEC on
> >> > Windows as well as Solaris hosts. If, for example, after a couple of
> >> > months, we would like to change certain settings in ossec.conf, how
> >> > can we propagate the changes to all hosts?
>
> >> > 1. Can we simply copy and paste it over the existing and restart the
> >> > service?
> >> > 2. Can we deploy it from the central server out to all connected
> >> > hosts?
>
> >> > Thanks in advance.
>
> >> --
> >> Registered Linux User # 379282
>
> --
> Registered Linux User # 379282
