Disable ALL
17 views
Skip to first unread message
Brenno Garcia
8:48 AM (15 hours ago) 8:48 AM
to Wazuh | Mailing List
Hello
Can I disable all Wazuh functions?
For example, i want to configure an agent.conf for multiples endpoints and just monitor only file \c:\users\userX\file.log
Is this possible?
Olamilekan Abdullateef Ajani
9:36 AM (14 hours ago) 9:36 AM
to Wazuh | Mailing List
Hello Brenno,
If I may ask, why do you intend on disabling all the security features? This defeats the purpose of having the Wazuh agent in the first place, as there are many mechanisms to ship logs if that is what you are really interested in. If this is because of an underlying issue, you may share, and we will look at it.
That being said, if you really want to just capture the log in C:\users\userX\file.log, you can simply use the localfile configuration below in the agent ossec.conf file on the Windows system.
<localfile>
<location>C:\users\userX\file.log</location>
<log_format>syslog</log_format>
</localfile>
<location>C:\users\userX\file.log</location>
<log_format>syslog</log_format>
</localfile>
Disabling other features like SCA, syscheck, syscollector, etc. If you notice at every beginning of their sections, you will find the tag <enabled>no</enabled> or <disabled>yes</disabled>
Turning them off simply disables that module. With this, you can limit the agent to monitoring only.
Don't forget to also take out the default localfile configuration that came with the agent, example event channel.
Please let me know if you have more questions around this.
Regards,
Brenno Garcia
12:06 PM (12 hours ago) 12:06 PM
to Wazuh | Mailing List
Hello,
But let's assume I've implemented it and am managing the agents through the shared agent.conf file.
Look at my agent.conf
Look at my agent.conf
<agent_config>
<sca>
<enabled>no</enabled>
</sca>
<!-- File integrity monitoring -->
<syscheck>
<disabled>yes</disabled>
</syscheck>
<!-- System inventory -->
<wodle name="syscollector">
</wodle>
<!-- Active response -->
<active-response>
<disabled>yes</disabled>
</active-response>
<vulnerability-detection>
<enabled>no</enabled>
</vulnerability-detection>
<!-- Log analysis -->
<!-- Browser History -->
<localfile>
<location>C:\custom.log</location>
<log_format>syslog</log_format>
<out_format>monitor: $(log)</out_format>
</localfile>
<ruleset>
<decoder_exclude>/var/ossec/ruleset/decoders/</decoder_exclude>
<rule_exclude>/var/ossec/ruleset/rules/</rule_exclude>
</ruleset>
<vulnerability-detection>
<enabled>no</enabled>
</vulnerability-detection>
</agent_config>
it still shows login alerts, for example, from endpoints that don't pertain to the file I placed in localfile.
Olamilekan Abdullateef Ajani
12:28 PM (11 hours ago) 12:28 PM
to Wazuh | Mailing List
Hello Brenno,
First you need to identify where the login alerts are coming from so you can make provisions for it in the agent.conf file configuration. I suppose you still have the complete configuration file active on the agent, which explains the behavior you just experienced.
I would like to clarify how Wazuh handles the ossec.conf and agent.conf file precedence. When both configurations are utilized, the local and shared configurations are merged, however, the ossec.conf file local to the agent is read first, but the last configuration will overwrite the previous one.
So if the configuration matches, the agent.conf file will be used, if they don't, both configurations will be merged.
In essence, what I am saying is if there is a configuration on the agent's localfile which monitors a path, and it has not been referenced in the agent.conf file, they will still be monitored.
You can find more information about this below, so it can guide you in tuning the configuration.
Reply all
Reply to author
Forward
0 new messages