ossec.conf

[Francesco Mazzi]

Hi, I was wondering about ossec.conf in manager and in the agents.

I use centralized configuration and I know that manager's ossec.conf and agent.conf are merged, but what about ossec.conf in the agents?

For example, in manager's ossec.conf I set frequency to 1 hour for syscheck, I didn't set it ok agent.conf, and I see that in agent's ossec.conf is 12 hours. Should I set 1 hour in agent.conf too?

What is the precedence between these conf files?

Thank you.

[rafael...@wazuh.com]

Hi Francesco,

If you want your agent to have the same syscheck frequency as your manager, you have to set it on your agents configuration file too.

When the merged file is generated, agent.conf has the precedence.

It’s important to know which is the precedence between ossec.conf and agent.conf. The local and the shared configuration are merged. ossec.conf is read before the shared agent.conf,
the last definition of any setting will overwrite any previous
appearance. Also, the settings that includes a path to file, will be
concatenated.Enter code here...

You can find more information here: https://documentation.wazuh.com/2.0/user-manual/reference/centralized-configuration.html

Best regards.

[Francesco Mazzi]

Thank you, but what about ossec.conf in the agent? In which order is merged?

[Francesco Mazzi]

Ok, this is my configuration about syscheck:

ossec.conf in manager

<frequency>10800</frequency>

ossec.conf in agent (/var/ossec/etc/ossec.conf)

 <frequency>43200</frequency>

agent.conf

not set

in the log I see that syscheck is executed every 3 hours, so the frequency set in agent's ossec.conf is ignored or overwritten by the frequency in manager's ossec.conf.

Which is the role of the ossec.conf in the agent? Which is the precedence with manager's ossec.conf and agent.conf?

[rafael...@wazuh.com]

Hi Francesco,

sorry for the late response. I will try to clarify your situation.

Manager

First of all you manager ossec.conf is only for your manager, it doesn't have any effects on your agent's.

Agent

Now on your agent you have the ossec.conf only for the agent.

Centralized

If you want to override the agents configuration, you can do it by editing the file /var/ossec/etc/shared/default/agent.conf on your manager. This will generated a merged.mg that will be pushed to all the agents connected to the manager.

After the agent receives the merged.mg file, it will uncompress it and generate the agent.conf.

The agent will restart, read it's own ossec.conf and override the options with the agent.conf received in the previous step.

Best regards.

On Tuesday, July 10, 2018 at 12:31:38 PM UTC+2, Francesco Mazzi wrote:

[Francesco Mazzi]

Oh, now I understand, that's the point: I tought ossec.conf in manager was applied to every client, maybe it should be highlighted in the documentation.

Thank you very much!

[Andrew Huang]

Is it possible to overwrite the localfile directive from centralized config? For example this was automatically generated in agent's ossec.conf when the agent was installed, 

  <localfile>

    <log_format>apache</log_format>

    <location>/var/log/nginx/access.log</location>

  </localfile>

How can change my agent.conf to ignore this directive? There are alot of files that I don't want to monitor, and I have to remove the directives from every agents I install. Thank you.

[rafael...@wazuh.com]

Hi Andrew,

sorry for the late response, actually you can't ignore or overwrite localfiles using centralized agent.conf. This issue will be fixed and we have it already addressed on our roadmap.

Best regards.

On Tuesday, July 10, 2018 at 12:31:38 PM UTC+2, Francesco Mazzi wrote: