Info ossec.conf file and Agents conf file
2,381 views
Skip to first unread message
Massimiliano De Falco
Jan 11, 2023, 8:02:37 AM1/11/23
to Wazuh mailing list
Good morning to all,
I have a question: the ossec.conf file present on the manager server is duplicated to all client agents on the machines?
If I modify the ossec.conf, this changes is copied on all windows agents configuration?
In particular, I have to add this string to all config WIN agents file:
...
<directories check_all="yes" realtime="yes" report_changes="yes">C:\Users</directories>
...
I have added this string in ossec.conf file.
This change is propagated/updated to all agents?
Thanks.
--
Massimiliano De Falco
Raul Del Pozo Moreno
Jan 11, 2023, 8:36:49 AM1/11/23
to Massimiliano De Falco, Wazuh mailing list
Hello Massimiliano
Each Wazuh manager and Wazuh agent have their own ossec.conf file with their own content, if you want to share files with agents or specify generalized configuration for several agents, what you should use is the Centralized configuration functionality (agent.conf) so that only those settings are shared across Windows agents per example, either through groups or system specifications.
Please read the following documentation on how to use this functionality: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
A practical example would be the following (for the default group):
- In the Wazuh manager instance, edit the file: /var/ossec/etc/shared/default/agent.conf
- Add the following block of code to the file:
- Add the following block of code to the file:
<agent_config>
<syscheck>
<directories check_all="yes" realtime="yes" report_changes="yes">C:\Users</directories>
</syscheck>
</agent_config>
Then, in all the agents belonging to the default group, when the configuration is synchronized, they will apply this line, this implies that all the systems, both Linux, macOS, Windows, etc, will have this configuration. To avoid this you must share this configuration with a specific group, either in the agent.conf file of a certain group, such as /var/ossec/etc/shared/MY_CUSTOM_GROUP/agent.conf, or specify it in the agent_config options a series of values, such as:
<agent_config name=”agent01”>
...
<agent_config os="Windows">
...
<agent_config profile="UnixHost">
You can see the available options in this section of the documentation: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#options
Regards, Raúl.
 | Raúl Del Pozo Moreno IT Security Engineer - CICD |
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAK%2B2u1XNWFm_-xzb8ioe5f-i-k%3D5sji35AK6qB%2Bu-2_ueFRJ8A%40mail.gmail.com.
Massimiliano De Falco
Jan 11, 2023, 9:32:42 AM1/11/23
to Raul Del Pozo Moreno, Wazuh mailing list
Thanks for your answer.
Is it possible to edit the agent.conf from the wazuh (GUI) manager interface?
Massimiliano De Falco
Raul Del Pozo Moreno
Jan 11, 2023, 10:06:47 AM1/11/23
to Massimiliano De Falco, Wazuh mailing list
Yes, you can modify the agent.conf file from the following section in the Wazuh dashboard WUI:
In the agent.conf line, you will see in the Action column a pencil symbol, this will allow you to edit this file.
- Wazuh -> Management -> Groups -> (your group) -> Files
In the agent.conf line, you will see in the Action column a pencil symbol, this will allow you to edit this file.
| Raúl Del Pozo Moreno IT Security Engineer - CICD |
Reply all
Reply to author
Forward
0 new messages