If he doesn't have any kind of configuration management/orchestration in
place it might make more sense to use a minimal ossec.conf on the agents
and deploy any changes via the shared/agent.conf on the master.
That way he won't run into problems again with settings on the agents he
might have to manually remove.
On 3/8/2016 1:01 PM, Pedro S wrote:
I can't imagine a way to change ossec.conf on every agent if you are
not using some deployment software (like Puppet).
One solution for further installations is to change default ossec.conf
file in order to include your EventID exception.
Regards,
Pedro S.
On Monday, March 7, 2016 at 3:02:49 PM UTC+1, Abdulvehhab Agin wrote:
Hi,
We have lots of ossec.agent on Windows system; These ossec's
generate too much */"Audit Logs"/* and we don't want to collects
these logs;
When i change Ossec.conf on client manually :
## New Ossec.conf
------------------------
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!="4648" and EventID!="4656" and
EventID!="4658"]</query>
</localfile>
------------------------
It works good but, we don't want to change this config manually on
each computer; Is there a way to deploy this config via OSSEC
Server like shared/agent.conf
Thanks for any help.
--
---
You received this message because you are subscribed to the Google
Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
