Wazuh configuration change

395 views
Skip to first unread message

TUKARAM GAONKAR

unread,
Sep 2, 2021, 8:30:45 AM9/2/21
to Wazuh mailing list
Hi Team ,

Is it possible to change the configuration of the wazuh agent through the wazuh manager? I 100 + windows server. I have to remove config EventID != 4663 in "ossec.conf" file. Will this  possible via wazuh manager or any script available which we can run to perform changes through wazuh manager.

Warm Regards,
Tukaram

Alfonso Jose Correa Gonzalez

unread,
Sep 3, 2021, 5:36:03 PM9/3/21
to Wazuh mailing list

Hi Tukaram, thanks for using Wazuh.


You can achieve that by using Centralized configuration (agent.conf) on the manager. 

The centralized configuration is not intended to work with the global section, which is part of the manager only.

See:

https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

And this guide:

https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#centralized-configuration-process


Please let me know if this was helpful.

Regards,


Alfonso.

TUKARAM GAONKAR

unread,
Sep 6, 2021, 4:32:59 AM9/6/21
to Alfonso Jose Correa Gonzalez, Wazuh mailing list
Hi Alfonso,

Thanks for response .

Can you please elaborate me more . I am not understand what changes I have to do in wazuh manager . Also in note they have mention to add line in every agent  wazuh_command.remote_commands=1

I have more than 100 agent . I have to remove negation for EventID != 4663  .

Please help me .

Warm Regards,
Tukaram

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7e93ae8c-eeeb-44f4-9cbc-82656ed8f0d5n%40googlegroups.com.

Alfonso Jose Correa Gonzalez

unread,
Sep 7, 2021, 3:53:43 PM9/7/21
to Wazuh mailing list
Hi Tukaram,

Adding wazuh_command.remote_commands=1 to each agent is only necessary if you want to monitor or run remote commands, for more information on this read:

For your case I think it would be best (if you haven't already) to setup Agent Groups within your manager and then modifying the agent.conf file for that group to push the config.
Check out this step by step guide:

The agent.conf file will override ossec.conf so you should have something like this in your agent.conf, without the EventID != 4663 negation:

<localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
    EventID != 4656 and EventID != 4658 and EventID != 4660 and
    EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
    EventID != 5152 and EventID != 5157]</query>
</localfile

Let me know if this was helpful.
Regards,
Alfonso

TUKARAM GAONKAR

unread,
Sep 9, 2021, 2:26:02 AM9/9/21
to Alfonso Jose Correa Gonzalez, Wazuh mailing list
Hi Alfonso, ,

I have created group of windows 10 . Push configuration in agent.conf file . Please find attached file.

But still logs not coming in wazuh Manager.



To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b2831a78-3e47-4704-9ad4-fbc19676a247n%40googlegroups.com.
Wazuh Manager Agent.conf file.JPG

TUKARAM GAONKAR

unread,
Sep 20, 2021, 7:11:41 AM9/20/21
to Alfonso Jose Correa Gonzalez, Wazuh mailing list
Any update

Juan Carlos

unread,
Sep 28, 2021, 2:40:58 PM9/28/21
to Wazuh mailing list
Hi Tukaram,
In order to monitor events with EventID the configuration of the group should be the one shared by Alfonso.
So your group's agent.conf should look like this:
Screenshot from 2021-09-28 20-08-16.png
Note that you can edit this from the web interface by going into Management > Groups and then selecting the Edit action (pencil icon) for your group of agents.

It's also important to note that by default Wazuh will only log events that trigger a rule above the alert level threshold, and this is not the case for messages with EventID 4663, so if you wish for Wazuh to log these events you must add this to your custom rules:
<group name="windows, windows_security,">
  <rule id="100111" level="3">
     <if_sid>60103</if_sid>
     <field name="win.system.eventID">^4663$</field>
     <description>Object access information of folder with Windows Audit</description>    
     <options>no_full_log</options>
  </rule>
</group>

You may create rules that are specific to individual folders or even time based rules where an alert is raised if a folder is accessed within a specific time window. This is explained on this blog post: https://wazuh.com/blog/how-to-monitor-folder-access-on-windows/

I've verified that following these instructions on a stock installation of Wazuh provided the intended result:
Screenshot from 2021-09-28 20-37-40.png


Please let us know if you have any more questions,
Best Regards,
Juan Carlos Tello
Reply all
Reply to author
Forward
0 new messages