I can't imagine a way to change ossec.conf on every agent if you are not using some deployment software (like Puppet).
One solution for further installations is to change default ossec.conf file in order to include your EventID exception. Regards, Pedro S. On Monday, March 7, 2016 at 3:02:49 PM UTC+1, Abdulvehhab Agin wrote: > > Hi, > > > We have lots of ossec.agent on Windows system; These ossec's generate too > much *"Audit Logs"* and we don't want to collects these logs; > > > When i change Ossec.conf on client manually : > > > ## New Ossec.conf > ------------------------ > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID!="4648" and EventID!="4656" and > EventID!="4658"]</query> > </localfile> > > ------------------------ > > > It works good but, we don't want to change this config manually on each > computer; Is there a way to deploy this config via OSSEC Server like > shared/agent.conf > > > > Thanks for any help. > > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
