Updating Agent ossec.conf after install/deployment

[Robert H]

Hi,

For Agents, if we include a director, say C:\myapp  in the initial install/registration process, and 6 months later we want to change that config to, for example add a second directory, C:\myotherapp  is there a capability to update the syscheck directories on the manager and push that change to all Agents, or would the ossec.conf file on each Agent need to be updated manually and then restarted?  Is there an API capability for this?

Also, if the Agent computer loses it's connection from the manager, will it build up logs or have some type of queue'ing running until it regains/reconnects to the Manager again?

Last, is the Manager written as a multi-threaded application so that it will take advantage of multi-core processing?

Regards,

Robert

[Pedro Sanchez]

Hi Robert,

Let me answer your questions in the lines below:

• For Agents, if we include a director, say C:\myapp  in the initial install/registration process, and 6 months later we want to change that config to, for example add a second directory, C:\myotherapp  is there a capability to update the syscheck directories on the manager and push that change to all Agents, or would the ossec.conf file on each Agent need to be updated manually and then restarted?  Is there an API capability for this?
  

You can use the centralized configuration capabilities, configuring remotely your agents. You can modify almost every setting in your agents, including Syscheck directories list.

Please, take a look at: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

Every time you modify "agent.conf" file in the Manager, it will be pushed to the agents (it takes some time), then you will need to restart the agent (you can do it as well remotely) to apply configuration.

For next Wazuh version we will add new features for centralized configuration as: Parallel pushing, Auto-restart, Stop&Wait for UDP pushing reliability and performance, fastest TCP configuration pushing.

• Also, if the Agent computer loses it's connection from the manager, will it build up logs or have some type of queue'ing running until it regains/reconnects to the Manager again?
  

The agent does not have any queue apart of Logcollector queue which is really small (KB's)

At the moment the agent get disconnected, Logcollector will stop reading the file, saving last processed line position, when the connection is restored,  it will start from the saved line. 

Something we need to keep in mind is:

- Logcollector will loose the saved line position if the agent is restarted manually (ossec-control restart or restarting Windows service).

- An agent can potentially sends events to a non-working Manager for 30 minutes before it realizes the Manager is down. (TCP communication solve this issue).

• Last, is the Manager written as a multi-threaded application so that it will take advantage of multi-core processing?
  

That is a good question, currently, the Manager makes use of different threads for specific components, for example Remoted (one for attending requests, one for pushing configuration) but it is not essentially a multi-thread application.

It is not using different threads to attend multiple requests at same time (remoted), or it is not using multiple threads to process and decode incoming logs (analysisd).

I won't say the Manager is taking full advantage of multi-core processing, but I can say we are working on solving it by adding multi-thread capabilities and scalability options: Horizontal (Wazuh Cluster is coming) and Vertical (Docker containers, Multi-threads).

Hope it helps, best regards,

Pedro.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9d7c03f8-0da6-45bf-8951-87c8a1f1fb4f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.