Centralized Management of Agents
766 views
Skip to first unread message
John Carry
May 15, 2023, 6:47:58 AM5/15/23
to Wazuh mailing list
Dear Wazuh Team,
We are configuring our wazuh-server to centrally manage all the agents in our environment, first of all please confirm are we referring the correct guide as below?
If yes, then please let me know the below mentioned configuration needs to be enabled on wazuh-server end or the individual agent (Where the wazuh agent is installed):
As you can see from the screenshot below that it says you first need to enable the remote commands by configuring below command to the /var/ossec/etc/local_internal_options.conf in the agent, here I am confused with the red highlighted one that is it wazuh-server end or the agent (endpoint) end?
Henadence Anyam
May 15, 2023, 7:00:27 AM5/15/23
to Wazuh mailing list
Hello John,
You are referring to the right documentation.
The note shown in the screenshot is only applicable when you are configuring remote command execution in which case you have to explicitly configure each Wazuh agent to accept remote commands from the Wazuh server.
Which configuration are you trying to configure centrally?
The note shown in the screenshot is only applicable when you are configuring remote command execution in which case you have to explicitly configure each Wazuh agent to accept remote commands from the Wazuh server.
Which configuration are you trying to configure centrally?
Waiting for your feedback regarding this.
John Carry
May 15, 2023, 8:14:16 AM5/15/23
to Wazuh mailing list
Ok, let me elaborate you my case and the requirements:
Below is screenshot of ossec.conf file and I want to add <directories realtime="yes">/var/ossec/etc/ossec.conf</directories> under the syscheck section.
I have followed the centralized management of agent documentation and took following steps but unfortunately the desired changnes were not pushed from wazuh-server to the above agent:
1) Have create a new group and assigned above agent machine to it.
2) Have configured the agent.conf file at wazuh-manager end that will be sync to agent end.
3) Verified the agent.conf configuration and restart the agent.
Please me out by fulfilling the below use-case:
We need to centrally push above syscheck configuration to the existing file ie ossec.conf on the agent end, please let us know the required steps .
Henadence Anyam
May 15, 2023, 8:45:54 AM5/15/23
to Wazuh mailing list
The configuration you have specified is correct with the presumption that the Wazuh agent's name is Linux_Testing_Machine.
When the configuration is synchronized you won't see the changes on the Wazuh agents /var/ossec/etc/ossec.conf file. Rather, the configuration will be pushed to the agent's /var/ossec/etc/shared/agent.conf file.
Check the /var/ossec/etc/shared/agent.conf file on the agent endpoint and you should see the configuration.
With that configuration, if you make changes to the agent's /var/ossec/etc/ossec.conf file, you will received an alert.
Check the agent groups documentation for detailed explaination.
Hope you find this information helpful.
When the configuration is synchronized you won't see the changes on the Wazuh agents /var/ossec/etc/ossec.conf file. Rather, the configuration will be pushed to the agent's /var/ossec/etc/shared/agent.conf file.
Check the /var/ossec/etc/shared/agent.conf file on the agent endpoint and you should see the configuration.
With that configuration, if you make changes to the agent's /var/ossec/etc/ossec.conf file, you will received an alert.
Check the agent groups documentation for detailed explaination.
Hope you find this information helpful.
John Carry
May 16, 2023, 5:51:45 AM5/16/23
to Wazuh mailing list
Hello Anyam,
<agent_config>
<syscheck>
<directories realtime="yes" >/var/ossec/etc/ossec.conf</directories>
Thanks for your response, further I would like you to elaborate below concerns in-order as the official documentation has not discussed those config as in depth:
1) Can a single agent let say agent name is ABC can be part of two separate Groups i-e G1 and G2?
2) Can a single group can have two agents but each agent is of different OS i-e agent ABC is windows and agent XYZ is Linux?
--> If that is the case then what would be the impact of agent.conf file configuration on each agent? because in this case agent.conf will going to have configuration for both linux and windows.. Is it possible can we allow to break the configuration of agent.conf file into two sections as one for windows agent and other for linux agent so that windows agent will only updates its agent.conf file with windows relavant part and linux' agent.conf file with its linux part.
--> If that is the case then what would be the impact of agent.conf file configuration on each agent? because in this case agent.conf will going to have configuration for both linux and windows.. Is it possible can we allow to break the configuration of agent.conf file into two sections as one for windows agent and other for linux agent so that windows agent will only updates its agent.conf file with windows relavant part and linux' agent.conf file with its linux part.
Sample agent.conf file at wazuh-server end:
<agent_config>
<syscheck>
<directories realtime="yes" >/var/ossec/etc/ossec.conf</directories>
</syscheck>
</agent_config>
<agent_config>
<syscheck>
<directories realtime="yes" >C:\Program Files (x86)\ossec-agent\ossec.conf</directories>
</syscheck>
</agent_config>
</agent_config>
<agent_config>
<syscheck>
<directories realtime="yes" >C:\Program Files (x86)\ossec-agent\ossec.conf</directories>
</syscheck>
</agent_config>
Here I want is the Yellow should update at linux end only and red one at windows end, one thing to keep in notice that we are having above config under single agent.conf file having multiple windows and linux agents.
Note: I have already tested above case but observing the entire file is been updated on both windows and linux end...
3) Please confirm is realtime syscheck is supported for both windows and linux?
Message has been deleted
Henadence Anyam
May 16, 2023, 6:22:26 AM5/16/23
to Wazuh mailing list
Hello John,
1.) Yes, an agent can belong to one or more groups. So, agent ABC can be part of Groups G1 and G2. Follow the grouping agents guide for your reference.
<syscheck>
<directories realtime="yes">/var/ossec/etc/ossec.conf</directories>
<syscheck>
<directories realtime="yes">C:\Program Files (x86)\ossec-agent\ossec.conf</directories>
</syscheck>
</agent_config>
Regarding your concerns:
1.) Yes, an agent can belong to one or more groups. So, agent ABC can be part of Groups G1 and G2. Follow the grouping agents guide for your reference.
2.) Yes,
a single group can have two agents of different OS.
We can separate the configurations to Windows and Linux endpoints using the os option of the centralized configuration. Checkout the centralized configuration options for your reference.
I
have updated your example configs with the option accordingly. With the
below config, the Windows and Linux endpoints will only receive the
configs dedicated to it.
<agent_config
os="Linux">
<syscheck>
<directories realtime="yes">/var/ossec/etc/ossec.conf</directories>
</syscheck>
</agent_config>
<agent_config os="Windows">
</agent_config>
<agent_config os="Windows">
<syscheck>
<directories realtime="yes">C:\Program Files (x86)\ossec-agent\ossec.conf</directories>
</syscheck>
</agent_config>
3.) Yes, the realtime attribute is supported on both platforms including macOS. Follow the realtime monitoring guide for your reference.
Let me know if that addresses your concerns.
John Carry
May 16, 2023, 8:07:35 AM5/16/23
to Wazuh mailing list
Thanks for your response, this means that RealTime monitoring of FIM will only work for Directory but not for file?
For File we need to configure FIM on schedule basis?
For File we need to configure FIM on schedule basis?
Henadence Anyam
May 16, 2023, 8:33:00 AM5/16/23
to Wazuh mailing list
It works for both files and directories.
So, the configuration you have is okay.
Kindly go through the File Integrity Monitoring documentation to better understand the capability.
Hope this helps.
The File integrity monitoring
module monitors files and directories and triggers an alert when a user
or process creates, modifies, and deletes monitored files.
The module performs real-time and scheduled scans depending on the FIM configuration you enable.
So, the configuration you have is okay.
Kindly go through the File Integrity Monitoring documentation to better understand the capability.
Hope this helps.
Reply all
Reply to author
Forward
0 new messages