Profiles and agents

[Slobodan Aleksić]

Hello list,

I am having trouble setting up agent's ossec.conf by the install.sh
script correctly.
Setting "USER_AGENT_CONFIG_PROFILE" in "preloaded-vars.conf" to
something, doesn't create a <config-profile> setting in ossec.conf ..

Another thing: How to get a minimal ossec.conf on agents autmatically.
So that only server and profile settings are kept in ossec.conf and all
the rest only in agent.conf ?

Thanks in advance


--
Slobodan

[ZaNN]

Hi,

I just have the following configuration running on agents (ossec.conf file):

!-- OSSEC example config -->
<ossec_config>
  <client>
    <server-ip>192.168.0.56</server-ip>
    <config-profile>webservers</config-profile>
  </client>
<active-response>
    <disabled>no</disabled>
</active-response>

</ossec_config>

All other configuration (syscheck, files to monitor, etc..) are placed in the agent.conf on server side and pushed to the agents automatically.

Hope it helps

[dan (ddp)]

On Thu, Jan 22, 2015 at 5:08 AM, Slobodan Aleksić <li...@aleksic.de> wrote:
> Hello list,
>
> I am having trouble setting up agent's ossec.conf by the install.sh
> script correctly.
> Setting "USER_AGENT_CONFIG_PROFILE" in "preloaded-vars.conf" to
> something, doesn't create a <config-profile> setting in ossec.conf ..
>

Take a look at the InstallAgent.sh script (I think that's what it was
called). I'm guessing support for that would be in there.

> Another thing: How to get a minimal ossec.conf on agents autmatically.
> So that only server and profile settings are kept in ossec.conf and all
> the rest only in agent.conf ?
>

Modify the installation to only set those options.

> Thanks in advance
>
>
> --
> Slobodan
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Kat]

The problem is simple - the install.sh is where this is taken care of, but no one ever bothered to add the code when they added the variable of USER_AGENT_CONFIG_PROFILE.

Take a look at install.sh and find the top bit of code here -- and you will see the part I added to fix the PROFILE:

    echo "<ossec_config>" > $NEWCONFIG

    echo "  <client>" >> $NEWCONFIG

    if [ "X${IP}" != "X" ]; then

        echo "    <server-ip>$IP</server-ip>" >> $NEWCONFIG

    elif [ "X${HNAME}" != "X" ]; then

        echo "    <server-hostname>$HNAME</server-hostname>" >> $NEWCONFIG

    fi

    # add this block to check for and add a preset profile name for the agent (from preloaded-vars.conf)

    if [ "$X{USER_AGENT_CONFIG_PROFILE}" != "X" ]; then

         PROFILE=${USER_AGENT_CONFIG_PROFILE}

         echo "    <config-profilep>$PROFILE</config-profile>" >> $NEWCONFIG

    fi

    # end of added PROFILE block

    echo "  </client>" >> $NEWCONFIG

    echo "" >> $NEWCONFIG

Cheers

Kat

[Kat]

minor typo on this line:

 echo "    <config-profilep>$PROFILE</config-profile>" >> $NEWCONFIG

that should read  

echo "    <config-profile>$PROFILE</config-profile>" >> $NEWCONFIG

On Thursday, January 22, 2015 at 4:09:42 AM UTC-6, Slobodan Aleksić wrote:

[dan (ddp)]

On Tue, Jan 17, 2017 at 3:06 PM, Kat <uncom...@gmail.com> wrote:
> The problem is simple - the install.sh is where this is taken care of, but
> no one ever bothered to add the code when they added the variable of
> USER_AGENT_CONFIG_PROFILE.
>

If you submit a pull request I'll bother with it right now.

[Kat]

I already did. :-) 

#1027

[dan (ddp)]

On Fri, Jan 20, 2017 at 8:25 AM, Kat <uncom...@gmail.com> wrote:
> I already did. :-)
> #1027
>

Thanks, I missed it. It's been merged.