How to collect only syscheck and rootcheck logs

[vikas]

Hi All,

I am trying to collect only syscheck and rootcheck logs, and not the eventlogs in windows or any other log files in unix. I see some /var/log file locations declared in ossec.conf for linux that I can comment out, but don't see an option to turn off the log collection for windows. The application, security and system logs are specified in default-ossec.conf on the agent. How can I stop collecting these logs without having to touch each agent? 

Thanks,

Vikas.

[dan (ddp)]

If you want to turn off the collection of logs on each agent, you'll
have to touch each agent.
I think removing the localfile options should be enough, but I haven't tried it.

> Thanks,
> Vikas.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Grant Leonard]

I turned them OFF this way.

I am assuming you can declare just these options with no logging location and you will have the reverse of my config

  <agent_config name="example_server_name">
    <rootcheck>
      <disabled>yes</disabled>
      <check_winmalware>no</check_winmalware>
      <check_sys>no</check_sys>
    </rootcheck>
    <syscheck>
      <auto_ignore>yes</auto_ignore>
      <alert_new_files>no</alert_new_files>
      <scan_on_start>no</scan_on_start>
      <registry_ignore>HKEY_LOCAL_MACHINE</registry_ignore>
      <registry_ignore>HKEY_USERS</registry_ignore>
      <registry_ignore>HKEY_CURRENT_CONFIG</registry_ignore>
      <registry_ignore>HKEY_CURRENT_USER</registry_ignore>
      <registry_ignore>HKEY_CLASSES_ROOT</registry_ignore>
    </syscheck>
  </agent_config>


Grant