On Fri, Jun 22, 2018 at 7:52 AM, Vinay Vanama <vinay.vana...@gmail.com> wrote: > Hey, I have tried same with 2 profiles and restarted agents and master and > added some files in the monitoring directories and I have got some email > alerts for the added files. Now I believe that this <config_profile> is > working. > > I have one more question !! will the rules in /var/ossec/rules/ still apply > to the agents right ? >
Yes. The server will compare each message it receives to the decoders and rules. > what I'm trying is I have 5 static machines and 5 dynamic machines now I > need to be able to vary rules based on profile. Is it possible ? For example > if I login to my static machine and do a sudo for the first time I should > get an email alert and if I login to my dynamic agent and do a sudo for the > first time I should not get the email alert ! > No. As I stated in my original message, you'd have to have different servers for the static and dynamic machines. > Thanks > > On Friday, June 22, 2018 at 12:36:05 AM UTC+5:30, dan (ddpbsd) wrote: >> >> On Thu, Jun 21, 2018 at 2:45 PM, Vinay Vanama <vinay....@gmail.com> wrote: >> > So now how can we ensure that this <config_profile> is working ? >> > >> >> Ok, I created an agent.conf: >> ix# more /var/ossec/etc/shared/agent.conf >> <agent_config profile="tester"> >> <syscheck> >> <directories check_all="yes">/var/test</directories> >> </syscheck> >> </agent_config> >> >> It got pushed to an agent. I configured that agent to use the profile: >> junction# more /var/ossec/etc/ossec.conf >> <ossec_config> >> <client> >> <server-hostname>ix.example.com</server-hostname> >> <config-profile>tester</config-profile> >> </client> >> >> I restarted the agent and checked the log: >> junction# grep 'var/test' /var/ossec/logs/ossec.log >> 2018/06/21 14:58:52 ossec-syscheckd(1701): WARN: No option provided >> for directories: '/var/test', ignoring it. >> 2018/06/21 14:59:24 ossec-syscheckd(1701): WARN: No option provided >> for directories: '/var/test', ignoring it. >> 2018/06/21 14:59:59 ossec-syscheckd: INFO: Monitoring directory: >> '/var/test', with options perm | size | owner | group | md5sum | >> sha256sum. >> >> You can see my failed attempts at setting this up the first couple of >> times. I got it right on the third try. >> Now this agent already has some <directories> entries, so I'll have to >> try it again without them to see if it still works. >> >> After removing the <directories> entries from the 's ossec.conf and >> restarting, I still see the message about '/var/test': >> 2018/06/21 15:03:59 ossec-syscheckd: INFO: Monitoring directory: >> '/var/test', with options perm | size | owner | group | md5sum | >> sha256sum. >> >> The agent.conf was updated on the agent, restarted, and see: >> 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: >> '/var/test', with options perm | size | owner | group | md5sum | >> sha256sum. >> 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: >> '/etc', with options perm | size | owner | group | md5sum | sha256sum. >> 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: >> '/usr/bin', with options perm | size | owner | group | md5sum | >> sha256sum. >> 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: >> '/usr/sbin', with options perm | size | owner | group | md5sum | >> sha256sum. >> 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: >> '/bin', with options perm | size | owner | group | md5sum | sha256sum. >> 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: >> '/sbin', with options perm | size | owner | group | md5sum | >> sha256sum. >> 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: >> '/boot', with options perm | size | owner | group | md5sum | >> sha256sum. >> 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: >> '/var/ossec/etc/ossec.conf', with options perm | size | owner | group >> | md5sum | report_changes | sha256sum. >> >> So, it's definitely working. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.