two ossec.conf files in the agent, one for wazuh and one for other monitoring systems

[Felipe Andres Concha Sepúlveda]

Hi, I want to install an agent on a solaris server, and that server is already monitored by another system that uses a file called /var/ossec/etc/ossec.conf

That file is old, it has the server-ip instead of Address.

The question is can i create another ossec.conf file and therefore there are two files on that server, the current one that already uses another monitoring system and the new one that uses wazuh?

[elw...@wazuh.com]

Hello Felipe,

I'm assuming that you have already an ossec instance installed in that machine, thus installing a wazuh agent implies installing another ossec instance in the same machine which may create conflicts, even if you specify another path for the new ossec.conf file.

So if you want to keep reporting to the other monitoring system and using the wazuh agent :

• wazuh manager: the logs would be sent from your wazuh agent to the manager, that latter would analyzes and generates the alerts (/var/ossec/logs/alerts/alerts.json ) in a json form, then theses alerts could be send to your monitoring system
  

Apologies for any inconvenience occurred by the deleted post.
Let us know if you need any further information,

Best regards,
Wali.k

[Felipe Andres Concha Sepúlveda]

Hi Wali, thanks for your reply !!!

I explain more in detail, There is an instance already installed on that server is an instance of a SIEM called SAQQARA.

What I want is to install a wazuh agent on that same machine, the problem I see is that we are going to have two ossec.conf Files pointing to two different managers, the SAQQARA manager and the wazuh manager that we want to install.

My question if can we do this, and if the answer is yes, please tell me how

If this is not possible, we can look for another option.

Regards,

Felipe

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/19ebd1e1-bce8-4627-b7fc-755a564d8772%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[elw...@wazuh.com]

Hello Felipe,

The case that you are describing wouldn't be possible for the following reasons :

1. An agent can report only to one Manager
2. An Ossec agent and a Wazuh agent can not be installed in the same machine.

Hope this makes it clear,
Best regards,
Wali.k

Hope this helps,
Best regards,

On Wednesday, October 17, 2018 at 5:41:02 PM UTC+2, Felipe Andres Concha Sepúlveda wrote:

Hi Wali, thanks for your reply !!!

I explain more in detail, There is an instance already installed on that server is an instance of a SIEM called SAQQARA.

What I want is to install a wazuh agent on that same machine, the problem I see is that we are going to have two ossec.conf Files pointing to two different managers, the SAQQARA manager and the wazuh manager that we want to install.

My question if can we do this, and if the answer is yes, please tell me how

If this is not possible, we can look for another option.

Regards,

Felipe

El 17-10-2018, a las 15:05, elw...@wazuh.com escribió:

Hello Felipe,

I'm assuming that you have already an ossec instance installed in that machine, thus installing a wazuh agent implies installing another ossec instance in the same machine which may create conflicts, even if you specify another path for the new ossec.conf file.

So if you want to keep reporting to the other monitoring system and using the wazuh agent :

• wazuh manager: the logs would be sent from your wazuh agent to the manager, that latter would analyzes and generates the alerts (/var/ossec/logs/alerts/alerts.json ) in a json form, then theses alerts could be send to your monitoring system
  

Apologies for any inconvenience occurred by the deleted post.
Let us know if you need any further information,

Best regards,
Wali.k

On Wednesday, October 17, 2018 at 12:28:42 PM UTC+2, Felipe Andres Concha Sepúlveda wrote:

Hi, I want to install an agent on a solaris server, and that server is already monitored by another system that uses a file called /var/ossec/etc/ossec.conf

That file is old, it has the server-ip instead of Address.

The question is can i create another ossec.conf file and therefore there are two files on that server, the current one that already uses another monitoring system and the new one that uses wazuh?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Felipe Andres Concha Sepúlveda]

Hi, Wali, sorry I did not say thank you :)

Thank you very much for your answer!!!

Regards,

Felipe

Inicio del mensaje reenviado:

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1b0804a5-4416-4cc4-b773-b3626beac418%40googlegroups.com.

[elw...@wazuh.com]

Hello Felipe,

You are welcome, And thank your for contributing in our mailing list.

We will be always happy to help.

Best regards,
Wali