Wazuh Agents Centralized Management
140 views
Skip to first unread message
John Carry
May 17, 2023, 8:47:22 AM5/17/23
to Wazuh mailing list
Dear Wazuh Team,
There is Query with reference to remote management of Agents, we want to overwrite the frequency value to some custom value and to do that we need to overwrite that with the help of agent.conf, but as per the provided document of agent.conf it says that ossec.conf will be read first and then agent.conf.
Please let me know how to configure the agent.conf file so that it can overwrite the frequency parameter in ossec.conf for syscheck feature.
Ossce.conf (Here I want to overwirte 42300):
Agent.conf ( Where I want pass the custom value for syscheck frequecy):
Héctor Gómez
May 17, 2023, 10:39:46 AM5/17/23
to Wazuh mailing list
Regards, @john.carry0213
Yes, the ossec.conf file takes precedence over agent.conf; however, these settings are merged, the last setting, which is the agent.conf setting, in case you have enabled centralized settings, it overrides any matching settings in ossec.conf and those that don't, will be added, e.g. additional routes, policies, or parameters.
Anytime you make a change to the agent.conf file, it's important to check for configuration errors. If this check reports any errors, they should be corrected before the next step. If this step is not performed, errors may be sent to the agents, which may prevent them from running. At that point, you will most likely be forced to visit each agent manually to retrieve them.
Yes, the ossec.conf file takes precedence over agent.conf; however, these settings are merged, the last setting, which is the agent.conf setting, in case you have enabled centralized settings, it overrides any matching settings in ossec.conf and those that don't, will be added, e.g. additional routes, policies, or parameters.
Anytime you make a change to the agent.conf file, it's important to check for configuration errors. If this check reports any errors, they should be corrected before the next step. If this step is not performed, errors may be sent to the agents, which may prevent them from running. At that point, you will most likely be forced to visit each agent manually to retrieve them.
Harold Andre Rodriguez Cortes
May 17, 2023, 1:57:38 PM5/17/23
to Wazuh mailing list
Hello @john.carry021,
Let me exlpain, when it comes to the configuration of the agent.conf and ossec.conf. the agent.conf is the configuration of the agent and ossec.conf the Wazuh manager when it comes to syscheck.
The best way to approach the configuration of the agents to overwrite values without suffering any changes, is to make the changes using the centralize configuration.
For this go the group section in the picture below
Then you can create the group that will affect the agents where you want to apply the configuration.
Now you can add the SYSCHECK configuration on the group you have created
Here you can find the type of configuration for the differente OS in your system
Now, this configuration will replace the agent.conf of all the agents that you will add to this specific group. As you can see my frecuecny is set to 60 in the agent.conf, and the ossec.conf is still with frecuency 42300, you can change the frecuency of the manager with no problem and agents wont be affected.
The best practice is to always make changes in to agent.conf using centralize configuration, because if there is an update in the agents or the manager, any configuration made directly to the agent might be lost.
The Wazuh agent and manager have the FIM module enabled and pre-configured by default. However, we recommend that you review the configuration of your endpoints to ensure that you tailor the FIM settings, such as monitored paths, to your environment.
Regards.
Reply all
Reply to author
Forward
0 new messages