It's my understanding it needed to be configure don the agent? Following is
anything I can see as remotely pertinent in the Ossec.conf file on the
OSSEC server. I'm not including sections referencing the rules and
directories to monitor and ignore (which I didn't modify).
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_maxperhour>5000</email_maxperhour>
<email_to>[email protected]</email_to>
<smtp_server>redact.redact.com</smtp_server>
<email_from>[email protected]</email_from>
<logall>yes</logall>
</global>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>72000</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
</syscheck>
<remote>
<connection>syslog</connection>
</remote>
<remote>
<connection>secure</connection>
</remote>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</ossec_config>
On Tuesday, October 25, 2016 at 8:15:53 AM UTC-7, dan (ddpbsd) wrote:
> On Tue, Oct 25, 2016 at 11:03 AM, Matt <[email protected] <javascript:>>
> wrote:
> > I can definitely confirm that the FIM scan ISN'T paying attention to the
> > ossec.conf file on the Windows agent. Instead it is running based off
> the
> > config of the OSSEC Master server. Pasting in config from windows
> agent.
> > And I did add the new file and ignore flag to the master, just didn't
> remove
> > from agent.
> >
>
> Which options specifically are being set (for the agent) from the
> OSSEC server's ossec.conf?
>
> > <!-- Syscheck - Integrity Checking config. -->
> > <syscheck>
> >
> > <!-- Default frequency, every 20 hours. It doesn't need to be higher
> > - on most systems and one a day should be enough.
> > -->
> > <frequency>16200</frequency>
> > <alert_new_files>yes</alert_new_files>
> > <auto_ignore>no</auto_ignore>
> >
> > On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote:
> >>
> >> On Oct 19, 2016 12:08 PM, "Matt" <[email protected]> wrote:
> >> >
> >> > Thank you both, I appreciate it.
> >> >
> >> > I added the config to the global file instead of the local file.
> >> >
> >> > So, I think realtime is behaving now, but not the rest. It's my
> >> > understanding the scan frequency for the agent is set on the agent,
> not the
> >> > global level. I've set the agent to about an hour, but it's not
> noting
> >> > changes for the non realtime. I'm ok with setting it to less frequent
> and
> >> > will try 4 hours next, and then a longer period after that. Unless
> it's all
> >> > set on the global level (master server is 20hr), which didn't seem to
> be the
> >> > case?
> >> >
> >>
> >> Frequency is handled in the agent's ossec.conf.
> >>
> >> > Thanks,
> >> > Matthew
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
