On Tue, Oct 25, 2016 at 12:29 PM, Matt <sttwo...@gmail.com> wrote: > It's my understanding it needed to be configure don the agent? Following is
What needed to be configured on the agent? Which specific settings were you referencing in your previous email? Some settings get set on the agent, some on the server. Which settings did you expect to be set on the agent, but only worked when set on the server? > anything I can see as remotely pertinent in the Ossec.conf file on the OSSEC > server. I'm not including sections referencing the rules and directories to > monitor and ignore (which I didn't modify). > > <ossec_config> > <global> > <email_notification>yes</email_notification> > <email_maxperhour>5000</email_maxperhour> > <email_to>red...@redact.com</email_to> > <smtp_server>redact.redact.com</smtp_server> > <email_from>red...@redact.com</email_from> > <logall>yes</logall> > </global> > Obvious server settings. > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>72000</frequency> Frequency should be set by that host's ossec.conf. > <alert_new_files>yes</alert_new_files> > <auto_ignore>no</auto_ignore> Obvious server settings. > </syscheck> > <remote> > <connection>syslog</connection> > </remote> > <remote> > <connection>secure</connection> > </remote> Obvious server settings. > <alerts> > <log_alert_level>1</log_alert_level> > <email_alert_level>7</email_alert_level> > </alerts> > Obvious server settings > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/secure</location> > </localfile> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maillog</location> > </localfile> > </ossec_config> > Each system should have localfile entries for the logs on that system. > > On Tuesday, October 25, 2016 at 8:15:53 AM UTC-7, dan (ddpbsd) wrote: >> >> On Tue, Oct 25, 2016 at 11:03 AM, Matt <sttw...@gmail.com> wrote: >> > I can definitely confirm that the FIM scan ISN'T paying attention to the >> > ossec.conf file on the Windows agent. Instead it is running based off >> > the >> > config of the OSSEC Master server. Pasting in config from windows >> > agent. >> > And I did add the new file and ignore flag to the master, just didn't >> > remove >> > from agent. >> > >> >> Which options specifically are being set (for the agent) from the >> OSSEC server's ossec.conf? >> >> > <!-- Syscheck - Integrity Checking config. --> >> > <syscheck> >> > >> > <!-- Default frequency, every 20 hours. It doesn't need to be higher >> > - on most systems and one a day should be enough. >> > --> >> > <frequency>16200</frequency> >> > <alert_new_files>yes</alert_new_files> >> > <auto_ignore>no</auto_ignore> >> > >> > On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote: >> >> >> >> On Oct 19, 2016 12:08 PM, "Matt" <sttw...@gmail.com> wrote: >> >> > >> >> > Thank you both, I appreciate it. >> >> > >> >> > I added the config to the global file instead of the local file. >> >> > >> >> > So, I think realtime is behaving now, but not the rest. It's my >> >> > understanding the scan frequency for the agent is set on the agent, >> >> > not the >> >> > global level. I've set the agent to about an hour, but it's not >> >> > noting >> >> > changes for the non realtime. I'm ok with setting it to less frequent >> >> > and >> >> > will try 4 hours next, and then a longer period after that. Unless >> >> > it's all >> >> > set on the global level (master server is 20hr), which didn't seem to >> >> > be the >> >> > case? >> >> > >> >> >> >> Frequency is handled in the agent's ossec.conf. >> >> >> >> > Thanks, >> >> > Matthew >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
