Agent configuration inquiry

[Yossif Helmy]

Hello,

I wanted to collect only the SCA logs from all the agents. Is there a way to do that other than going to each endpoint and overwriting the ossec.conf file? I tried changing the settings through agent.conf, but nothing has changed.

[Marcos Sanchez Delgado]

Hello.

To apply a single configuration to all agents in your environment, you can use centralized configuration, which allows you to control and modify the configuration of all your agents at once in an organized manner. This configuration is applied by groups, so you can organize your agents into different groups to apply a different configuration to each one.

By default, all agents belong to the default group, so if you want to apply the same configuration to all agents, you can use the centralized configuration of the default group. To do this, you must edit the file /var/ossec/etc/shared/default/agent.conf and write the SCA configuration you want to use for all agents in it. If you also want to disable the other modules to only receive SCA logs, you can also do so from that file, because the content of that file overwrites the content of the ossec.conf file, so from there, you can overwrite and disable the other modules (you can read the precedence between files in this link).

You can also check that the centralized configuration is correctly applied by executing var/ossec/bin/agent_groups -S -i <AGENT_ID> or by checking the /var/ossec/etc/shared/agent.conf file in the agent.

I recommend reading this blog, which explains how to group agents and how to apply centralized configuration correctly: https://wazuh.com/blog/agent-groups-and-centralized-configuration/
You can also read this documentation on grouping agents and applying centralized configuration.

​