Sorry to open an old thread, but I have a related question. Is there any way to tell a host that it is a web or db server through the push of the agent.conf? Or is it a requirement to update the ossec.conf on every server to tell it what group it is a member of?
Thank you, Jared On Monday, June 24, 2013 2:25:53 PM UTC-4, dan (ddpbsd) wrote: > > On Mon, Jun 24, 2013 at 1:15 PM, Jared <[email protected] <javascript:>> > wrote: > > Question: > > > > How are "Profiles" associated with clients / agents? > > > > Scenario: > > > > Agent ID = 001 = Web01 = IIS and MySQL = Windows > > > > Agent ID = 002 = Web02 = Apache/Tomcat and MySQL = CentOs > > > > I would like to have a profile for each server type so that I no longer > see > > the following errors: > > > > 2013/06/24 10:08:52 ossec-agent(1952): INFO: Monitoring variable log > file: > > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. > > 2013/06/24 10:08:52 ossec-agent(1103): ERROR: Unable to open file > > 'C:\Tomcat7\logs\localhost_access_log.2013-06-24.txt'. > > > > > > For Windows servers that do not have Tomcat for example? > > > > Based on the following from the web documentation from > > > http://www.ossec.net/doc/syntax/head_agent_config.html?highlight=profile#profile: > > > > > > profile > > This option to agent_config allows you to assign a profile name to the > the > > block. Any agent may use this block if it is configured to use the > defined > > profile. > > > > Example: <agent_config profile=”webservers”> > > > > > > How do I tell Agent 002 that it should be associated with "LinuxWebs" > > > > <agent_config profile=”LinuxWebs”> > > > > > > > > How do I tell Agent 002 that it should be subordinate to "WinWebs" > > > > <agent_config profile=”LinuxWebs”> > > > > > > > > In the following config: > > > > <agent_config profile=”LinuxWebs”> > > <localfile> > > <location>/var/log/secure</location> > > <log_format>syslog</log_format> > > </localfile> > > > > > > </agent_config> > > > > Thanks for all of the posts and info? Very helpful list!! > > > > Jared > > > > In the agent's ossec.conf add a <config-profile> entry to the <client> > section. Example: > > <ossec_config> > <client> > <server-ip>192.168.17.9</server-ip> > <config-profile>openbsd-firewall,openbsd-test</config-profile> > </client> > </ossec_config> > > The above agent is a member of the openbsd-firewall and openbsd-test > profiles in agent.conf. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
