ossec and agent configuration

196 views
Skip to first unread message

Hamet Amin

unread,
Aug 10, 2022, 2:54:24 AM8/10/22
to Wazuh mailing list
hello team. what is the difference between ossec.conf and agent.conf ? i want to know if there are differences between them or they are the same. both refer to the same configuration ?

Juan Cabrera

unread,
Aug 10, 2022, 3:08:04 AM8/10/22
to Wazuh mailing list

Hello,

On the one hand, the ossec.conf file, is for the configuration of the manager or agent with this file. So when we start it, it reads the configuration in this file to use the modules and functionalities you set. We can read more about the local configuration here:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/index.html

On the other hand, the agent.conf file is used to remotely configure the agents you have connected to the manager. This way, you can configure all the agents, one or a group of them remotely, setting a similar configuration to all the ones you want. You can read more about centralized configuration here:
https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

Regards,
Juan Cabrera

Chris B

unread,
Nov 14, 2022, 11:10:34 PM11/14/22
to Wazuh mailing list
I've had a similar question. 

I get the difference between the ossec.conf and agent.conf on the manager. I think I understand that agent.conf 'overrides' the local /var/ossec/etc/ossec.conf file. When I look at agent.conf file in the Manager under a group, it is essentially blank. 

In order to use this, do I need to copy a 'copy' of the ossec.conf file from the agent and then modify what I want, or do I just put in the settings I want to override? Its not clear how this works or what is recommended and it seems to imply that if I just add the 'blocks' of changes I want it would just override certain configurations, but maybe that's not the case?

Lamya Imam

unread,
Dec 11, 2022, 6:55:46 AM12/11/22
to Wazuh mailing list
Hi there, 

Once I go to Management -> Group -> agent.conf (to centrally configure my Wazuh agents from manager):
Screenshot 2022-12-11 172908.png


And put the <client> </client> configuration 
Screenshot 2022-12-11 172908.png


It shows the following error:

Screenshot 2022-12-11 172908.png

Error: 3013 - Wazuh syntax error: Invalid element in the configuration: 'client'. Syscheck remote configuration in '/var/ossec/tmp/api_tmp_file_05a4me_8.xml' is corrupted.

Can anyone please help me with the solution to this problem?

NOTE: We are trying to avoid the configuration of "Load balancing" ,"Failover" or direct configuration from agent. Is there an alternative method for centrally forwarding logs to a backup node?


Thanks in advance
Lamya 

Reply all
Reply to author
Forward
0 new messages