Hi, Dan.
Perhaps I am misunderstanding the documentation...
It’s important to understand which configuration file takes precedence
between ossec.conf and agent.conf when central configuration is used. When
central configuration is utilized, the local and the shared configuration
are merged, however, the ossec.conf file is read before the shared
agent.conf and the last configuration of any setting will overwrite the
previous. Also, if a file path for a particular setting is set in both of
the configuration files, both paths will be included in the final
configuration.
In any case I was able to filter out windows events in the shared
agent.conf file by filtering on event 0000 like this...
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
<query>Event/Application[EventID=0000]</query>
<localfile>
This then pushed out to the local agents and took precedence over the local
ossec.conf file.
I how this helps others out there.
Cheers,
-B
On Tue, Oct 2, 2018 at 7:54 AM dan (ddp) <[email protected]> wrote:
> On Tue, Oct 2, 2018 at 10:09 AM Rigoberto Avila Jr
> <[email protected]> wrote:
> >
> > Thanks for the reply, Dan.
> >
> > We have a shared configuration where the agents pull down the shared
> agent.conf. I know the shared file gets applied last but it doesn’t seem to
> be overwriting the settings in each of the agents. I would of course like
> to avoid visiting each agent.
> >
> > Any thoughts on this?
> >
>
> The shared agent.conf file doesn't usually over ride the options, but
> adds to them.
>
> >
> > Cheers.
> >
> > On Tue, Oct 2, 2018 at 3:37 AM dan (ddp) <[email protected]> wrote:
> >>
> >> On Tue, Oct 2, 2018 at 4:10 AM Bummi <[email protected]> wrote:
> >> >
> >> > Hi!
> >> >
> >> > We use Splunk to pull Windows events in, so for us it would be
> redundant for us to pull them in with OSSEC tagent as well. We just want to
> use the OSSEC agent for FIM.
> >> >
> >> > How can I go about disabling Windows event forwarding in the shared
> agent.conf file?
> >> >
> >>
> >> I haven't tried it, but I think you'd need to remove any <localfile>
> >> entries from the ossec.conf on each agent.
> >>
> >> >
> >> > Thanks,
> >> >
> >> > -B
> >> >
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >>
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected].
> >> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
