Editing Wazuh Agent Configuration in Built In Image

fadi abusafat

unread,

Oct 24, 2019, 1:07:20 PM10/24/19

to Wazuh mailing list

Hi,

I am using Built In image for Wazuh to do some analysis for some attacks. I already designed an Agent to send Pacp file to server that is already designed by Built In image. I just tried to add Wazuh Manager IP address into ossec.conf file but I did not find client option. Also, There is no Manager_IP to replace while there is node _IP. So, I not sure toward agent ip , it should replace by Node IP or there is something else.

Please anyone could help me.

Thank you so much

I already copied whole file and post it here.

<ossec_config>

<jsonout_output>yes</jsonout_output>

<alerts_log>yes</alerts_log>

<logall_json>no</logall_json>

<email_notification>no</email_notification>

<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>oss...@example.wazuh.com</email_from>

<email_to>reci...@example.wazuh.com</email_to>

<email_maxperhour>12</email_maxperhour>

<email_log_source>alerts.log</email_log_source>

</global>

<log_alert_level>3</log_alert_level>

<email_alert_level>12</email_alert_level>

</alerts>

<log_format>plain</log_format>

</logging>

<connection>secure</connection>

<queue_size>131072</queue_size>

</remote>

<sca>

<scan_on_start>yes</scan_on_start>

<skip_nfs>yes</skip_nfs>

<policy>cis_rhel7_linux_rcl.yml</policy>

<policy>system_audit_rcl.yml</policy>

<policy>system_audit_ssh.yml</policy>

<policy>system_audit_pw.yml</policy>

</policies>

</sca>

<ignore_time>6h</ignore_time>

<run_on_start>yes</run_on_start>

<update_interval>1h</update_interval>

</feed>

<update_from_year>2010</update_from_year>

<update_interval>1h</update_interval>

</feed>

<update_interval>1h</update_interval>

</feed>

</wodle>

<white_list>127.0.0.1</white_list>

<white_list>^localhost.localdomain$</white_list>

<white_list>10.0.2.2</white_list>

</global>

<name>disable-account</name>

<executable>disable-account.sh</executable>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>restart-ossec</name>

<executable>restart-ossec.sh</executable>

</command>

<name>firewall-drop</name>

<executable>firewall-drop.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>route-null</name>

<executable>route-null.sh</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>win_route-null</name>

<executable>route-null.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>win_route-null-2012</name>

<executable>route-null-2012.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>netsh</name>

<executable>netsh.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<name>netsh-win-2016</name>

<executable>netsh-win-2016.cmd</executable>

<expect>srcip</expect>

<timeout_allowed>yes</timeout_allowed>

</command>

<decoder_dir>ruleset/decoders</decoder_dir>

<rule_dir>ruleset/rules</rule_dir>

<rule_exclude>0215-policy_rules.xml</rule_exclude>

<list>etc/lists/audit-keys</list>

<list>etc/lists/amazon/aws-eventnames</list>

<list>etc/lists/security-eventchannel</list>

<decoder_dir>etc/decoders</decoder_dir>

<rule_dir>etc/rules</rule_dir>

</ruleset>

<name>wazuh</name>

<node_name>node01</node_name>

<node_type>master</node_type>

<bind_addr>0.0.0.0</bind_addr>

<nodes>

</nodes>

</cluster>

</ossec_config>

<ossec_config>

<auth>

<use_source_ip>no</use_source_ip>

<force_insert>yes</force_insert>

<force_time>0</force_time>

<use_password>no</use_password>

<limit_maxagents>yes</limit_maxagents>

<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

<ssl_verify_host>no</ssl_verify_host>

<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>

<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>

<ssl_auto_negotiate>no</ssl_auto_negotiate>

</auth>

</ossec_config>

fadi abusafat

unread,

Oct 24, 2019, 1:12:42 PM10/24/19

to Wazuh mailing list

Sorry I apologise.

I was working on Server while I did not recognise it should be on agent.

I already found it on agent file.

I apologise.

On Thursday, October 24, 2019 at 6:07:20 PM UTC+1, fadi abusafat wrote:

Hi,

I am using Built In image for Wazuh to do some analysis for some attacks. I already designed an Agent to send Pacp file to server that is already designed by Built In image. I just tried to add Wazuh Manager IP address into ossec.conf file but I did not find client option. Also, There is no Manager_IP to replace while there is node _IP. So, I not sure toward agent ip , it should replace by Node IP or there is something else.

Please anyone could help me.

Thank you so much

I already copied whole file and post it here.

<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>

<email_from>ossecm@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>

Daria Kempny

unread,

Oct 24, 2019, 1:27:35 PM10/24/19

to Wazuh mailing list

Hello Fadi,

it is great to hear that everything is working well.

Please let us know if you have any more questions and we will be glad to help you find a solution.