Our OSSEC server is running the newest version of Security Onion which has it built in
On Wednesday, February 1, 2017 at 1:15:16 PM UTC-5, dan (ddpbsd) wrote: > > On Wed, Feb 1, 2017 at 1:12 PM, <[email protected] <javascript:>> > wrote: > > Just a note, I have had /var/ossec/etc/shared/agent.conf go from having > > content back to being blank a number of times here without having any > > interaction on the server. Has anyone else experienced this? > > > > Did you install OSSEC from source, or from a package? > > > On Wednesday, February 1, 2017 at 12:38:44 PM UTC-5, dan (ddpbsd) wrote: > >> > >> On Wed, Feb 1, 2017 at 12:25 PM, <[email protected]> wrote: > >> > Hello All, > >> > > >> > I am currently working on a central ossec.conf file which contains > our > >> > Windows and Linux configurations for all clients. Here are a few > >> > background > >> > details: > >> > > >> > 1. We currently only have a few Linux deployments and roughly 6 > Windows > >> > deployments as a POC > >> > 2. All clients have a custom config, specific to Windows or Linux > >> > > >> > Now, I'd like to manage clients going forward with a central config > file > >> > using agent.conf within /var/ossec/etc/shared. I've followed these > >> > steps: > >> > > >> > 1.Created an agent.conf file, and ran verify-agent-conf without any > >> > issues. > >> > 2. Ran MD5SUM against the agent.conf and noted hash > >> > 3. Ran agent-control -R <ID> against a few clients > >> > 4. Ran agent-control -i <ID> and verified that the MD5 changed to > match > >> > the > >> > agent.conf hash > >> > 5. I review the agent.conf file on a Windows client that had updated > and > >> > it > >> > is blank > >> > 6. I review the merged.mg file on the same client and I do see > within > >> > the > >> > file that the custom agent.conf from the server is present > >> > 7. I go back to the /var/ossec/etc/shared/agent.conf and now see that > it > >> > is > >> > completely blank with a different MD5 > >> > > >> > Can anyone explain why the agent.conf on the server would have the > >> > content > >> > removed? My guess is that if the client doesn't have this info in the > >> > agent.conf that it is only reading their local ossec.conf file? > >> > > >> > As a side note, do I need to re-deploy a new ossec.conf to clients > out > >> > there > >> > with only the server IP configuration or will OSSEC merge the config > >> > with > >> > the agent.conf on the server? > >> > > >> > >> There shouldn't be anything in ossec that will blank the agent.conf on > >> the server. > >> If there is no agent.conf, the agent will use the ossec.conf. > >> The running configuration merges the ossec.conf and agent.conf. > >> > >> > Thanks all for the help! > >> > > >> > Eric > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
