Hi Dan, Is my configuration of both agent and server looks fine ? because when I have added <syscheck> section in the agent ossec.conf then only it started monitoring files. So why do we need the agent.conf in OSSEC master ?
On Thursday, June 21, 2018 at 9:39:09 PM UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Jun 21, 2018 at 8:32 AM, Vinay Vanama <vinay....@gmail.com > <javascript:>> wrote: > > Hi Dan! > > > > I have achieved this by using profile concept > > > > what i have done is I have used a <agent_config profile="static"> and > for > > dynamic agents I have used <agent_config profile="dynamic"> and then I > have > > restarted agents and agent.conf has been updated in both machines. But > I'm > > confused here in one place, In agent.conf file my settings for static > and > > dynamic machines are different. Below are the files. > > > > <agent_config profile="static"> > > <syscheck> > > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > > <frequency>60</frequency> > > <scan_on_start>yes</scan_on_start> > > <skip_nfs>yes</skip_nfs> > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > <directories check_all="yes">/bin,/sbin,/boot</directories> > > </syscheck> > > > > <agent_config profile="dynamic"> > > <syscheck> > > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > > <frequency>60</frequency> > > <scan_on_start>yes</scan_on_start> > > <skip_nfs>yes</skip_nfs> > > > > <!-- Directories to check (perform all possible verifications) --> > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > > </syscheck> > > > > </agent_config> > > > > If you observe the <syscheck> section for both profiles I have modified > a > > bit for test purpose and my ossec.conf file on agents is like below. > > > > <ossec_config> > > <client> > > <server-ip>10.1.19.118</server-ip> > > <config_profile>static</config_profile> > > </client> > > > > and for dynamic machnies > > > > <ossec_config> > > <client> > > <server-ip>10.1.19.118</server-ip> > > <config_profile>dynamic</config_profile> > > </client> > > > > And finally I have added a file in /etc directory in both agents and I > > didn't get any alert regarding the file addition. Is my configuration of > > agent.conf and ossec.conf of the agents is correct ? Even though if I > added > > settings in agent.conf should I add them in ossec.conf too? > > > > Look in the ossec.log of the agents in question to see if they are > monitoring those directories. > If so, make sure they do a full scan before and after the file was added. > > > Thanks! > > > > > > On Wednesday, June 20, 2018 at 9:09:08 PM UTC+5:30, dan (ddpbsd) wrote: > >> > >> On Tue, Jun 19, 2018 at 5:33 AM, Vinay Vanama <vinay....@gmail.com> > wrote: > >> > Hi Team, > >> > > >> > I have installed OSSEC -Master and OSSEC - Agents (Version - 2.9.2) > on > >> > ubuntu machines which are static machines. So far everything is fine > and > >> > I'm > >> > getting alerts. Now I'm using same setup for dynamic machines and > agents > >> > are > >> > getting added to master without any issue. But my problem is I have > more > >> > than 120 machines where 30 are static and 90 are dynamic machines. So > I > >> > was > >> > thinking can we have a group based agent configuration where all > static > >> > machines will be under GROUP - 1 and all dynamic machines will be > under > >> > GROUP-2 so is this possible ? > >> > > >> > If possible !! can I have a rules also to be applied for specific > groups > >> > ? > >> > > >> > >> This isn't really possible at the moment. I think using different OSSEC > >> servers > >> for different classes of agents is the best solution at the moment. > >> > >> > Need your help! Thanks > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.