On Wed, Dec 8, 2010 at 5:12 AM, GeorgeY <[email protected]> wrote: > Hi Joe, > > Thanks again for your response. Once I add an agent.conf to /shared, > will I actually see this file on the client itself? I guess what I am > trying to find out is if this file will actually be sent/pushed out to > all "Windows" clients and a copy will be saved locally in their c: > \Program Files\ossec-agent\shared? If the answer is Yes, I am not > seeing this in my set up. >
Yes, the agent.conf is supposed to be sent to the agents. Check the permissions of the agent.conf on the manager. Mine is owned by root, but readable by the group ossec. > Also, whether or not the answer is Yes or No, that would mean I would > need to MANUALLY clear the ossec.conf duplicated settings for all > these hosts as well correct - since the default ossec.conf already > contains the settings I want to put in agent.conf? Unless there is > another trick i can use here :) > You'd have to manually remove stuff from the ossec.conf. > What i currently have on the client ossec.conf is simply > > <ossec_config> > > <active-response> > <disabled>yes</disabled> > </active-response> > > <client> > <server-ip>192.168.1.1</server-ip> > </client> > </ossec_config> > > and agent.conf is as per my previous post without the <client></ > client> and <active-response></active-response> sections. > > On Dec 7, 10:46 pm, Joe Gedeon <[email protected]> wrote: >> George, >> >> Here is the shared agent config that I use for on the server for the >> windows hosts. The ossec.conf on the agent is just about blank. It >> has very minimal. Once I find my windows installer I can then send >> you a copy of that. In your example of your shared agent.conf you had >> the server set in there. The server must be set on the client. Also >> active response must be enabled on the client and not in the shared >> configuration. What you see in the shared agent can be removed from >> the agents ossec.conf so that it doesn't over lap. >> >> cat etc/shared/agent.conf >> <agent_config os="Windows"> >> >> <!-- One entry for each file/Event log to monitor. --> >> <localfile> >> <location>Application</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>Security</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <localfile> >> <location>System</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> <!-- Rootcheck - Policy monitor config --> >> <rootcheck> >> <windows_audit>./shared/win_audit_rcl.txt</windows_audit> >> <windows_apps>./shared/win_applications_rcl.txt</windows_apps> >> <windows_malware>./shared/win_malware_rcl.txt</windows_malware> >> </rootcheck> >> >> <!-- Syscheck - Integrity Checking config. --> >> <syscheck> >> >> <!-- Default frequency, every 20 hours. It doesn't need to be higher >> - on most systems and one a day should be enough. >> --> >> <frequency>72000</frequency> >> >> <!-- By default it is disabled. In the Install you must choose >> - to enable it. >> --> >> <disabled>no</disabled> >> >> <!-- Default files to be monitored - system32 only. --> >> <directories check_all="yes">%WINDIR%/win.ini</directories> >> <directories check_all="yes">%WINDIR%/system.ini</directories> >> <directories check_all="yes">C:\autoexec.bat</directories> >> <directories check_all="yes">C:\config.sys</directories> >> <directories check_all="yes">C:\boot.ini</directories> >> <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> >> <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> >> <directories check_all="yes">%WINDIR%/System32/at.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/debug.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories> >> <directories >> check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> >> <directories >> check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/net.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/net1.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/reg.exe</directories> >> <directories check_all="yes">%WINDIR%/regedit.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/runas.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/sc.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/subst.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> >> <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories> >> <directories check_all="yes">C:\Documents and Settings/All >> Users/Start Menu/Programs/Startup</directories> >> <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> >> >> <!-- Windows registry entries to monitor. --> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> >> <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet >> Explorer</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session >> Manager\KnownDLLs</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> >> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Windows</windows_registry> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Winlogon</windows_registry> >> >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active >> Setup\Installed Components</windows_registry> >> >> <!-- Windows registry entries to ignore. --> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> >> >> <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> >> <registry_ignore type="sregex">\Enum$</registry_ignore> >> </syscheck> >> </agent_config> >> >> >> >> On Tue, Dec 7, 2010 at 05:53, GeorgeY <[email protected]> wrote: >> > Hi Joe, >> >> > Thank you for your reply. I am trying to figure out how this works but >> > what I tried so far does not work. >> > Just as a background, I have installed ossec2.5.1 locally on all my >> > windows hosts via the /S switch. By default, this created ossec.conf >> > in C:\Program Files\ossec-agent. In my environment, I have Solaris >> > hosts with ossec installed as well. The ossec server is running on a >> > Solaris machine. I have created agent.conf in /opt/ossec/etc/shared. I >> > tried to restart the agent on a Windows machine from the server but >> > agent.conf does not get pushed out. Can you advise where I should >> > start looking? >> >> > Also, I can see from webUI that OSSEC is able to identify the OS on >> > the agents. So does this mean that if i do <agent_conf os="Windows"> >> > it will automatically apply this to all Windows based machines? >> >> > Do I need a separate agent.conf for Solaris based hosts or simply a >> > separate <agent_config os="Solaris"> in the agent.conf file? >> >> > Many thanks in advance for any hints or pointers you can provide. >> >> > Here is a sample of my agent.conf >> >> > <agent_config os="Windows"> >> >> > <client> >> > <server-ip>192.168.1.1</server-ip> >> > </client> >> >> > <syscheck> >> > <!-- Frequency that syscheck is executed - default to every 22 >> > hours --> >> > <frequency>79200</frequency> >> >> > <!-- Default files to be monitored - system32 only. --> >> > <directories check_all="yes">%WINDIR%/win.ini</directories> >> > .... >> > </syscheck> >> >> > <rootcheck> >> > <windows_audit>./shared/win_audit_rcl.txt</windows_audit> >> > <windows_apps>./shared/win_applications_rcl.txt</windows_apps> >> > <windows_malware>./shared/win_malware_rcl.txt</windows_malware> >> > </rootcheck> >> >> > <active-response> >> > <disabled>yes</disabled> >> > </active-response> >> >> > <alerts> >> > <log_alert_level>1</log_alert_level> >> > </alerts> >> > <!-- Files to monitor (localfiles) --> >> >> > </agent_config> >> >> > Regards, >> > George >> >> > On Dec 3, 9:40 pm, Joe Gedeon <[email protected]> wrote: >> >> George, >> >> >> It is much easier to do this with a centralized agent configuration. >> >> Take a look here. >> >> >>http://www.ossec.net/main/manual/centralized-config/ >> >> >> You can put just about the complete config in etc/shared/agent.conf so >> >> that it is rolled out to all hosts. >> >> >> On Fri, Dec 3, 2010 at 01:55, GeorgeY <[email protected]> wrote: >> >> > Hi all, >> >> >> > Please excuse my ignorance, we are starting to mass deploy OSSEC on >> >> > Windows as well as Solaris hosts. If, for example, after a couple of >> >> > months, we would like to change certain settings in ossec.conf, how >> >> > can we propagate the changes to all hosts? >> >> >> > 1. Can we simply copy and paste it over the existing and restart the >> >> > service? >> >> > 2. Can we deploy it from the central server out to all connected >> >> > hosts? >> >> >> > Thanks in advance. >> >> >> -- >> >> Registered Linux User # 379282 >> >> -- >> Registered Linux User # 379282
