Thanks Dan and Christopher. Most helpful.
Now to my next question ;), after any changes to agent.conf, the
automatic "pushing" of the updated agent.conf file is working as
expected. This is great. However, is the configuration applied
immediately or it requires a manual restart of the Ossec HIDS service
on the Windows machines? i tried the agent_control -R <id> option but
it doesn't seem to restart the agent?
Syscheck is configured to run every 72000 seconds. However, if there
are changes in agent.conf, does Ossec only look at the options within
<syscheck></syscheck> or the entire .conf file?
Reason I am asking, during some testing, we replaced agent.conf with
Unix only configurations. So by right, Windows hosts have nothing to
monitor and no applicable configurations. However, I still see many
Windows machines sending alerts to alerts.log which I believe come
from the following entries in agent.conf:
agent.conf
---------------
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
alerts.log
--------------
** Alert 1308105862.761782: - windows,system_error,
2011 Jun 14 19:44:22 (hostname) 172.x.x.x->WinEvtLog
Rule: 18103 (level 5) -> 'Windows error event.'
Src IP: (none)
User: (no user)
WinEvtLog: System: ERROR(4199): Tcpip: (no user): no domain: aaa: The
system detected an address conflict for IP address 172.x.x.x with the
system having network hardware address a:f:f:f:f:. Network operations
on this system may be disrupted as a result.
** Alert 1308105868.762260: - windows,authentication_success,
2011 Jun 14 19:44:28 (hostname) 172.x.x.x->WinEvtLog
Rule: 18107 (level 3) -> 'Windows Logon Success.'
Src IP: (none)
User: SYSTEM
WinEvtLog: Security: AUDIT_SUCCESS(540): Security: SYSTEM: NT
AUTHORITY: asd: Successful Network Logon: User Name: aasa
$ Domain: domain Logon ID: (0x0,0x66785CF)
Logon Type: 3 Logon Process: Kerberos Authentication
Package: Kerberos Workstation Name:
** Alert 1308105868.762751: - windows,
2011 Jun 14 19:44:28 (host) 172.x.x.x->WinEvtLog
Rule: 18149 (level 3) -> 'Windows User Logoff.'
Src IP: (none)
User: SYSTEM
WinEvtLog: Security: AUDIT_SUCCESS(538): Security: SYSTEM: NT
AUTHORITY: asd: User Logoff: User Name: asd$
Domain: domain Logon ID: (0x0,0x66785CF) Logon
Type: 3
On Jun 11, 1:58 am, "dan (ddp)" <[email protected]> wrote:
> Hi George,
> Put the Windows and *nix configurations in the same agent.conf. The
> agents will ignore the parts that do not apply to them.
>
> On Fri, Jun 10, 2011 at 4:01 AM, GeorgeY <[email protected]> wrote:
> > Hi all,
>
> > I am using a shared config for Windows hosts that is being distributed
> > from the OSSEC server /ossec/etc/shared/agent.conf.
>
> > In agent.conf, I have specified the following:
>
> > <agent_config os="Windows">
> > ...
> > ...
> > </agent_config>
>
> > It is distributing it as expected however, I noticed that this file is
> > being distributed to my Unix hosts as well. How can I tell the OSSEC
> > server to distribute agent.conf to ALL windows hosts and tell it to
> > distribute agent-unix.conf to ALL unix hosts only? Can this be done?
>
> > Thanks in advance.
>
> > George
