On Aug 22, 2017 12:52 PM, "Leroy Tennison" <[email protected]> wrote:
Hopefully final question about this, I notice the default manager's agent.conf has a configuration simply for os="linux" (and windows) as well as one which has no qualifier, I'm assuming those configurations apply to all systems with that os and all systems respectively. Correct? Suggestion, these might be worthwhile Architecture or FAQ additions. Correct, with the exception of the manager. It does not utilize the agent.conf. On Tuesday, August 22, 2017 at 11:00:04 AM UTC-5, dan (ddpbsd) wrote: > > > On Aug 22, 2017 11:55 AM, "Leroy Tennison" <[email protected]> wrote: > > Thank you for your reply, sadly, that's exactly what I've done (doubled > up). I'll go fix that. Correct me if I'm wrong but, from your reply, it > appears that I need to examine both the manager's agent.conf as well as the > agent's ossec.conf to determine the "effective" configuration. > > > That is correct. Unfortunately that would be correct in any conceivable > scenario I can come up with. > At best you can minimize the ossec.conf and utilize the agent.conf as much > as possible. > > > On Monday, August 21, 2017 at 5:40:53 PM UTC-5, dan (ddpbsd) wrote: >> >> >> >> On Aug 21, 2017 4:39 PM, "Leroy Tennison" <[email protected]> wrote: >> >> I have added to /var/ossec/etc/shared/agent.conf a profile for a class >> of machine and updated the agent's ossec.conf with the config-profile in >> the <client> block. >> >> Do I need to remove the <syscheck>, <rootcheck> and all <localfile> >> entries on the client or will the manager simply override them? Is the >> result "either (the manager configuration)/or (the agent configuration)" or >> cumulative (both components apply? >> >> >> Cumulative. All options are applied. It is important syscheck entries are >> not doubled up. >> >> Changing the agent.conf to over-riding ossec.conf options is something I >> am interesred in, but javen't had time for. >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
