Stephen, I was not, I was doing it through profile and profile association on the ossec.conf and agent.conf files, noted in my writeup. I wasn't aware that was an option! I have been reading through the wazuh documentation, and it seems like it has introduced group management, a feature not offered in OSSEC 2.9.4 (at least not that I could find). Unfortunately for me, I have been implementing 2.9.4, which I pulled straight from ossec.net. I was planning on taking care of SIEM integrations myself after it was up and running.
Would you, or anyone else, recommend switching over to an implementation of OSSEC forked through WAZUH for ease of management? From a currently running environment with source controlled configs, do you think the projected LOE is fairly low? I have been reading through the documentation and it doesn't seem like, other than cleaning ossec-2.9.4 off of existing boxes, it would be that hard. What sort of differences, other than the group management can I expect that I haven't yet seen in documentation? Will it work with vanilla ossec-agents (2.9.2-4) or only wazuh agents? All the Best, Jay On Wednesday, July 25, 2018 at 3:04:18 PM UTC, Stephen wrote: > > Hi James, > > Are you trying to group your agents and apply configs per group? Read the > following link: > > > https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html?highlight=groups > > Assign your agents to particular groups in your manager then locate the > agent.conf @ /var/ossec/etc/shared/groupname/ folder. > Apply the new config then check if the agents they've synchronized with > the manager. > Regards > Stephen > > > > On Tuesday, 17 July 2018 18:10:04 UTC+1, James Warne wrote: >> >> Hello all! >> >> I have gone through a large amount of posts, docs, and online resources >> but haven't found a crystal clear answer to my specific issue. I might well >> be missing something but we are a day or so in now and I feel like I need >> some advice from the source! >> >> I went about trying to implement some custom profiles to better enable >> centralized management of agents through my ossec server on a small scale >> as a PoC, but I can't seem to get my custom profile to fire. I have >> attached an about 125 line (675 line with configs/appendices) report in >> markdown detailing: >> 1) What I am trying to accomplish >> 2) How I am trying to accomplish it >> 3) What the failure looks like >> 4) Configs/ alerts/ settings >> >> If anyone could provide guidance as to whether I am misunderstanding a >> core tenant of profiles in the agent.conf, for instance, if there can only >> be one explicit profile per agent and order matters, if the directories >> specified in the profile don't include depth searches for some reason, or >> if there is some other issue I lack the experience or depth of knowledge to >> figure out, I would greatly appreciate it.. >> >> Thanks to anyone who takes the time to read and help! >> >> All the Best, >> Jay >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
