Hi Dan, Thanks for your response. Currently, this is the permission on the file.
-r--r----- 1 root other 6626 Dec 8 01:56 agent.conf So changing this to -rwxr--r-- 1 root ossec should do the trick? Thanks again. Appreciate your assistance. Regards, George On Dec 8, 10:15 pm, "dan (ddp)" <[email protected]> wrote: > On Wed, Dec 8, 2010 at 5:12 AM, GeorgeY <[email protected]> wrote: > > Hi Joe, > > > Thanks again for your response. Once I add an agent.conf to /shared, > > will I actually see this file on the client itself? I guess what I am > > trying to find out is if this file will actually be sent/pushed out to > > all "Windows" clients and a copy will be saved locally in their c: > > \Program Files\ossec-agent\shared? If the answer is Yes, I am not > > seeing this in my set up. > > Yes, the agent.conf is supposed to be sent to the agents. > Check the permissions of the agent.conf on the manager. > Mine is owned by root, but readable by the group ossec. > > > Also, whether or not the answer is Yes or No, that would mean I would > > need to MANUALLY clear the ossec.conf duplicated settings for all > > these hosts as well correct - since the default ossec.conf already > > contains the settings I want to put in agent.conf? Unless there is > > another trick i can use here :) > > You'd have to manually remove stuff from the ossec.conf. > > > What i currently have on the client ossec.conf is simply > > > <ossec_config> > > > <active-response> > > <disabled>yes</disabled> > > </active-response> > > > <client> > > <server-ip>192.168.1.1</server-ip> > > </client> > > </ossec_config> > > > and agent.conf is as per my previous post without the <client></ > > client> and <active-response></active-response> sections. > > > On Dec 7, 10:46 pm, Joe Gedeon <[email protected]> wrote: > >> George, > > >> Here is the shared agent config that I use for on the server for the > >> windows hosts. The ossec.conf on the agent is just about blank. It > >> has very minimal. Once I find my windows installer I can then send > >> you a copy of that. In your example of your shared agent.conf you had > >> the server set in there. The server must be set on the client. Also > >> active response must be enabled on the client and not in the shared > >> configuration. What you see in the shared agent can be removed from > >> the agents ossec.conf so that it doesn't over lap. > > >> cat etc/shared/agent.conf > >> <agent_config os="Windows"> > > >> <!-- One entry for each file/Event log to monitor. --> > >> <localfile> > >> <location>Application</location> > >> <log_format>eventlog</log_format> > >> </localfile> > > >> <localfile> > >> <location>Security</location> > >> <log_format>eventlog</log_format> > >> </localfile> > > >> <localfile> > >> <location>System</location> > >> <log_format>eventlog</log_format> > >> </localfile> > > >> <!-- Rootcheck - Policy monitor config --> > >> <rootcheck> > >> <windows_audit>./shared/win_audit_rcl.txt</windows_audit> > >> <windows_apps>./shared/win_applications_rcl.txt</windows_apps> > >> <windows_malware>./shared/win_malware_rcl.txt</windows_malware> > >> </rootcheck> > > >> <!-- Syscheck - Integrity Checking config. --> > >> <syscheck> > > >> <!-- Default frequency, every 20 hours. It doesn't need to be higher > >> - on most systems and one a day should be enough. > >> --> > >> <frequency>72000</frequency> > > >> <!-- By default it is disabled. In the Install you must choose > >> - to enable it. > >> --> > >> <disabled>no</disabled> > > >> <!-- Default files to be monitored - system32 only. --> > >> <directories check_all="yes">%WINDIR%/win.ini</directories> > >> <directories check_all="yes">%WINDIR%/system.ini</directories> > >> <directories check_all="yes">C:\autoexec.bat</directories> > >> <directories check_all="yes">C:\config.sys</directories> > >> <directories check_all="yes">C:\boot.ini</directories> > >> <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories> > >> <directories check_all="yes">%WINDIR%/System32/at.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/debug.exe</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/drwatson.exe</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/eventcreate.exe</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/net.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/net1.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/reg.exe</directories> > >> <directories check_all="yes">%WINDIR%/regedit.exe</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/regedt32.exe</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/regsvr32.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/runas.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/sc.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/subst.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories> > >> <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories> > >> <directories > >> check_all="yes">%WINDIR%/System32/drivers/etc</directories> > >> <directories check_all="yes">C:\Documents and Settings/All > >> Users/Start Menu/Programs/Startup</directories> > >> <ignore > >> type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore> > > >> <!-- Windows registry entries to monitor. --> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry> > >> <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet > >> Explorer</windows_registry> > > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session > >> Manager\KnownDLLs</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry> > > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry> > >> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > >> NT\CurrentVersion\Windows</windows_registry> > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > >> NT\CurrentVersion\Winlogon</windows_registry> > > >> <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active > >> Setup\Installed Components</windows_registry> > > >> <!-- Windows registry entries to ignore. --> > >> > >> <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore> > >> > >> <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore> > >> <registry_ignore type="sregex">\Enum$</registry_ignore> > >> </syscheck> > >> </agent_config> > > >> On Tue, Dec 7, 2010 at 05:53, GeorgeY <[email protected]> wrote: > >> > Hi Joe, > > >> > Thank you for your reply. I am trying to figure out how this works but > >> > what I tried so far does not work. > >> > Just as a background, I have installed ossec2.5.1 locally on all my > >> > windows hosts via the /S switch. By default, this created ossec.conf > >> > in C:\Program Files\ossec-agent. In my environment, I have Solaris > >> > hosts with ossec installed as well. The ossec server is running on a > >> > Solaris machine. I have created agent.conf in /opt/ossec/etc/shared. I > >> > tried to restart the agent on a Windows machine from the server but > >> > agent.conf does not get pushed out. Can you advise where I should > >> > start looking? > > >> > Also, I can see from webUI that OSSEC is able to identify the OS on > >> > the agents. So does this mean that if i do <agent_conf os="Windows"> > >> > it will automatically apply this to all Windows based machines? > > >> > Do I need a separate agent.conf for Solaris > > ... > > read more »
