Hi again James, I just tested and I can see how both configurations are pushed to the agent, OSSEC always push agent.conf entire file to all the agents, you can open the file on your agent to check if everything is already received:
*OSSEC file "/var/ossec/etc/shared/merged.mg" * If you enable debug mode you will see on ossec.log when the merged.mg is pushed: * 016/02/11 05:09:18 ossec-remoted: DEBUG Sending file 'merged.mg' to agent.* Regarding if OSSEC combine all the configuration blocks, i think it does because the following C code: *https://github.com/wazuh/ossec-wazuh/blob/master/src/config/config.c#L201* There is a *while* loop searching for matchs of "os=?", "name=?" and "profile=?", the loop keep going until last element is read, so i think it will read everything, not only the first match. Let me check it and i will update you in a while. On Thursday, February 11, 2016 at 1:21:46 PM UTC+1, James Glaves wrote: > > Hi, > I push out OSSEC configuration to all our Windows agents using shared > agent.conf. I have a question about how the agent interprets the different > options: > > <agent_config name="agent1"> > <agent_config os="Windows"> > > What isn't clear to me, will "agent1" match only the first agent_config it > finds? Or will it continue through all the agent_config's and combine the > results? > > For example, can I combine agent-specific configuration which applies to > agent1 only with standard Windows configuration that applies to all Windows > agents. Or do I need to include all the standard Windows configuration > together with the specific configuration in the single named agent_config? > > Example, will this work? Will "agent4" combine IIS, Exchange, and Windows > rules? > > <!-- Specific config for End User Desktop's --> > <agent_config name="agent1|agent2|agent3"> > <syscheck> > <directories check_all="yes">%PROGRAMFILES%/Application > XYZ</directories> > </syscheck> > </agent_config> > > <!-- Specific config for IIS Server's --> > <agent_config name="agent4|agent5"> > <localfile> > <location>%WinDir%\System32\LogFiles\W3SVC1\u_ex%y%m%d.log</location> > <log_format>iis</log_format> > </localfile> > </agent_config> > > <!-- Specific config for Exchange Server's --> > <agent_config name="agent4"> > <localfile> > <location>F:\Connectivity Logs\CONNECTLOG%Y%m%d-1.LOG</location> > <log_format>iis</log_format> > </localfile> > </agent_config> > > <!-- General Windows config for all Windows agents --> > <agent_config os="Windows"> > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > </agent_config> > > Thanks, > jjrbg > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
