Change ossec.conf globaly

[Abdulvehhab Agin]

Hi,

We have lots of ossec.agent on Windows system; These ossec's generate too much "Audit Logs" and we don't want to collects these logs;

When i change Ossec.conf  on client manually :

## New Ossec.conf

------------------------

<localfile>

  <location>Security</location>

  <log_format>eventchannel</log_format>

  <query>Event/System[EventID!="4648" and EventID!="4656" and EventID!="4658"]</query>

</localfile>

------------------------

It works good but, we don't want to change this config manually on each computer; Is there a way to deploy this config via OSSEC Server like shared/agent.conf

Thanks for any help.

[Jesus Linares]

Hi,

check out the documentation: http://ossec-docs.readthedocs.org/en/latest/manual/agent/agent-configuration.html

It would be something like:

/var/ossec/etc/shared/agent.conf:

<agent_config os="Windows">

    <localfile>
        <location>Security</location>
        <log_format>eventchannel</log_format>
        <query>Event/System[EventID!="4648" and EventID!="4656" and EventID!="4658"]</query>
    </localfile>

</agent_config>

Regards.

Jesus Linares.

[abdul...@gmail.com]

If we don't delete these tag in local ossec.conf, it sends these log again.

It doesnt solve problem, any suggesion?

8 Mar 2016 tarihinde 12:29 saatinde, Jesus Linares <je...@wazuh.com> şunları yazdı:

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/UFQ5gE9HZHw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[dan (ddp)]

On Tue, Mar 8, 2016 at 5:53 AM, <abdul...@gmail.com> wrote:
>
> If we don't delete these tag in local ossec.conf, it sends these log again.
>
> It doesnt solve problem, any suggesion?
>

How do you currently do configuration management?

> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an

[Abdulvehhab Agin]

We configure all agents via manually by hand; so it is too hard to change ossec.conf manually;

[Pedro S]

I can't imagine a way to change ossec.conf on every agent if you are not using some deployment software (like Puppet).

One solution for further installations is to change default ossec.conf file in order to include your EventID exception.

Regards,

Pedro S.

On Monday, March 7, 2016 at 3:02:49 PM UTC+1, Abdulvehhab Agin wrote:

[Ryan Schulze]

If he doesn't have any kind of configuration management/orchestration in place it might make more sense to use a minimal ossec.conf on the agents and deploy any changes via the shared/agent.conf on the master.

That way he won't run into problems again with settings on the agents he might have to manually remove.

[abdul...@gmail.com]

It sounds new ossec agent installation with minimal ossec.conf is requried

Thanks for interest.

8 Mar 2016 tarihinde 22:17 saatinde, Ryan Schulze <ry...@dopefish.de> şunları yazdı:

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/UFQ5gE9HZHw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.