Re: [ossec-list] ossec centralized configuration

Thu, 03 Mar 2011 13:39:34 -0800 

On 03/03/2011 10:02 PM, satish patel wrote:

can you copy paste you agent.conf   is active-respose should comes
under syscheck section ?


I can't disable iptable because this is my firewall server
(production). Best help is please copy paste you agent.conf to me.

also i have added few custom logs to agent.conf that also not
working... :(    look like i am doing something wrong in agent.conf
please someone send me full agent.conf


<!-- fw01server extra logfiles for ubuntu OS -->
<agent_config name="fw01server ">
<localfile>
     <log_format>syslog</log_format>
     <location>/var/log/auth.log</location>
   </localfile>

   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/syslog</location>
   </localfile>

   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/mail.info</location>
   </localfile>

   <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/dpkg.log</location>
   </localfile>

   <localfile>
     <log_format>apache</log_format>
     <location>/var/log/apache2/error.log</location>
   </localfile>

   <localfile>
     <log_format>apache</log_format>
     <location>/var/log/apache2/access.log</location>
   </localfile>
</agent_config>






this is my agent.conf for one agent:

<agent_config name="rhelauthsrv">
  <syscheck>
    <frequency>79200</frequency>
    <auto_ignore>no</auto_ignore>
    <alert_new_files>yes</alert_new_files>
<directories report_changes="yes" realtime="yes" check_all="yes">/etc</directories> <directories check_all="yes">/usr/bin,/usr/sbin,/bin,/sbin</directories> 
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/aliases.db</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/lvm/cache/.cache</ignore>
    <ignore>/etc/mtab</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>

<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>

<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>

  <active-response>
    <disabled>yes</disabled>
  </active-response>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/secure</location>
  </localfile>
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/maillog</location>
  </localfile>
</agent_config>

--
CL Martinez
carlopmart {at} gmail {d0t} com

Reply via email to