On Wed, Jun 18, 2014 at 2:07 PM, Melissa Jimenez <[email protected]> wrote: > Hi! We recently installed OSSEC in order to comply with integrity checking > standards. The computer we're interested in monitoring scans checks on a > daily basis and processes financial information. I am obviously new to > OSSEC, but I managed to install a virtual appliance server and then an agent > on the computer of interest (Windows XP). I have been reading the > documentation, but I'm still having trouble with a few things and I'm > extremely confused as to how to proceed. The server successfully connects to > the agent. My problem lies in the configuration. > > First, what configuration file am I interested in modifying? The one on the > server, or the one in the agent? On the server side, do I modify ossec.conf > or agent.conf? >
It depends on what you want to do. If you want the agent to be affected you modify either the agent's ossec.conf or the agent.conf on the manager. If you want the changes to affect the manager, modify the manager's ossec.conf. The manager is unaffected by the agent.conf. > Also, we weren't given any information on the specific files or logs we > needed to monitor. The computer, as mentioned before, scans checks and > credit card information, and regularly has access to bank portals. How do I > configure OSSEC to deal with this specific case? I don't know what section Which specific case? There isn't really any specific information here. Monitor the log files you find important. > to modify, what files to look at, and what information to report on. If you > have any specific examples, I would really appreciate it. > > Also, we haven't been receiving any email notifications of any sort. We're > using a public smtp address, since our mail server requires authentication > and we didn't know how to address this with Ossec. Our configuration looks > as follows > > <global> > <email_notification>yes</email_notification> > <email_to>[email protected]</email_to> > <smtp_server>207.115.36.26</smtp_server> > <email_from>[email protected]</email_from> > </global> > Do you have access to the mail logs? If not, you might be able to use tcpdump to find out what's going on. I generally forward the OSSEC emails through a local smtpd that handles the authentication. > > I apologize for the multiple questions. I'm trying to take advantage of all > the capabilities of such an amazing tool. Thank you! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
