Editing Agent Profile
325 views
Skip to first unread message
Sagar
Sep 12, 2023, 10:33:54 AM9/12/23
to Wazuh | Mailing List
Hi team,
AIM:
I am currently looking for the way in which I could add the configuration like
<localfile> <location>/var/log/my.log</location> <log_format>syslog</log_format> </localfile>
to the agent separately/group of agents/profile/os .
I am trying to use centralized configuration file "agent.conf" to update the configuration for particuar agent in that group.
As mentioned in the documentation , I can use 3 filters for agent_config to apply the configurations on,
https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#agent-conf
I am able to use the filter for profile if i add the profile name in the agent manually and configuration in the manager that i want to push,
But is there any way I can update the profile for the already existing wazuh-agents remotely and add then add their configuration in the wazuh-manager?
AIM:
I am currently looking for the way in which I could add the configuration like
<localfile> <location>/var/log/my.log</location> <log_format>syslog</log_format> </localfile>
to the agent separately/group of agents/profile/os .
I am trying to use centralized configuration file "agent.conf" to update the configuration for particuar agent in that group.
As mentioned in the documentation , I can use 3 filters for agent_config to apply the configurations on,
https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#agent-conf
I am able to use the filter for profile if i add the profile name in the agent manually and configuration in the manager that i want to push,
But is there any way I can update the profile for the already existing wazuh-agents remotely and add then add their configuration in the wazuh-manager?
Marcos Darío Buslaiman
Sep 12, 2023, 11:38:37 AM9/12/23
to Wazuh | Mailing List
Hi Sagar,
Thanks for using Wazuh!
You can add/edit the profile by using the centralized configuration, the profile for an agent on a group from UI or from CLI on Wazuh-Manager.
You can add/edit the profile by using the centralized configuration, the profile for an agent on a group from UI or from CLI on Wazuh-Manager.
From UI you need to go to Wazuh Menu--> Management --> Groups --> Select the group that you need to add or edit the profile
i.e
Take into account that this change will be applied to all the agents in this group, in this example the default group.
From CLI on manager your agent.conf file will be on the following path /var/ossec/etc/shared/{group_name} then you will have the agent.conf file to edit.
Please let me know if I understood your question correctly. If I missed something, could you kindly explain it to me again?
Regards!
Please let me know if I understood your question correctly. If I missed something, could you kindly explain it to me again?
Regards!
Marcos Darío Buslaiman
Sep 12, 2023, 2:23:02 PM9/12/23
to Wazuh | Mailing List
Hi Sagar,
I'm not sure but if you mean to change this parameter config-profile in the ossec.conf on a Wazuh Agent is not possible to change via centralized configuration
<ossec_config>
<client>
<server>
<address>192.168.1.50</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>debian, debian10</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
The profiles defined on this configuration (<config-profile>) could be used as filter on the Centralized configuration as we mentioned before, but this config-profile need to be configured on the agent side.
I'm not sure but if you mean to change this parameter config-profile in the ossec.conf on a Wazuh Agent is not possible to change via centralized configuration
<ossec_config>
<client>
<server>
<address>192.168.1.50</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>debian, debian10</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
The profiles defined on this configuration (<config-profile>) could be used as filter on the Centralized configuration as we mentioned before, but this config-profile need to be configured on the agent side.
Regards!
Sagar
Sep 13, 2023, 3:32:44 AM9/13/23
to Wazuh | Mailing List
Thanks for the help,
My confusion was the one you explained about in the later part about changing this parameter config-profile in the ossec.conf on a Wazuh Agent via centralized configuration.
To highlight what I concluded using wazuh documentation and the above query reply,
Example: 1. group name = " custom_group "
I have 150 agents assigned to this group, and now I need some agent with name "haproxy", "nginx" to fetch one more logs file at some path,
* For this I need to push the configuration to the agents using my wazuh-manager.
* Now I need to add this configuration in the file with path as "/var/ossec/etc/shared/custom_group/agent.conf",
Taking in account I need to add a filter for wazuh agent name as:
<agent_config name="haproxy">
<localfile>
<location>/var/log/my.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
* We can use the filter for the agents already installed and the configuration will be pushed to all agents present in the group but the configuration would effect the agent with the name haproxy only.
* We can not set <config-profile> for an already installed agent using wazuh-manager(only possible to edit on wazuh-agent itself) , and then add the configuration for a profile in /var/ossec/etc/shared/custom_group/agent.conf
<agent_config profile="PROXY">
<localfile>
<location>/var/log/my.log</location>
<log_format>syslog</log_format>
</localfile>
My confusion was the one you explained about in the later part about changing this parameter config-profile in the ossec.conf on a Wazuh Agent via centralized configuration.
To highlight what I concluded using wazuh documentation and the above query reply,
Example: 1. group name = " custom_group "
I have 150 agents assigned to this group, and now I need some agent with name "haproxy", "nginx" to fetch one more logs file at some path,
* For this I need to push the configuration to the agents using my wazuh-manager.
* Now I need to add this configuration in the file with path as "/var/ossec/etc/shared/custom_group/agent.conf",
Taking in account I need to add a filter for wazuh agent name as:
<agent_config name="haproxy">
<localfile>
<location>/var/log/my.log</location>
<log_format>syslog</log_format>
</localfile>
* We can use the filter for the agents already installed and the configuration will be pushed to all agents present in the group but the configuration would effect the agent with the name haproxy only.
* We can not set <config-profile> for an already installed agent using wazuh-manager(only possible to edit on wazuh-agent itself) , and then add the configuration for a profile in /var/ossec/etc/shared/custom_group/agent.conf
<agent_config profile="PROXY">
<localfile>
<location>/var/log/my.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
Please do let me know that I have not misunderstood any of the above functionality.
Please do let me know that I have not misunderstood any of the above functionality.
Marcos Darío Buslaiman
Sep 13, 2023, 9:05:06 AM9/13/23
to Wazuh | Mailing List
Hi Sagar,
Please let me know for any doubts or comments.
Yes, you are right.
You can use the value of profile on /var/ossec/etc/shared/custom_group/agent.conf (Centralized configuration) to apply the block of configuration only to the host with this profile name (PROXY).
You can use the value of profile on /var/ossec/etc/shared/custom_group/agent.conf (Centralized configuration) to apply the block of configuration only to the host with this profile name (PROXY).
<agent_config profile="PROXY">
<localfile>
<location>/var/log/my.log</location>
<log_format>syslog</log_format>
</localfile>
<location>/var/log/my.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
But first, you need to configure this profile of an agent, You need to access the agent and edit the configuration /var/ossec/etc/ossec.conf and set the profile into the parameter
<config-profile>
<ossec_config>
<client>
<server>
<address>192.168.1.50</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<client>
<server>
<address>192.168.1.50</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>
PROXY</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
Please let me know for any doubts or comments.
Regards
Reply all
Reply to author
Forward
0 new messages