1

I am starting with OSSEC for file integrity check in a bunch of Windows servers and CentOS. And I would like to keep a centralized configuration of what to check for all my agents, based on they OS.

Rerearching about Centralized agent configuration I found out that i can make a /var/ossec/etc/shared/agent.conf which spreads my will to all my agents, but I am struggling to understand how to use it.

Based on OSSEC docs example, i want to do something like this:

<agent_config os="Linux">
    <localfile>
        <location>/var/log/my.log2</location>
        <log_format>syslog</log_format>

        <syscheck>
           <frequency>7200</frequency>
           <auto_ignore>no</auto_ignore>
           <alert_new_files>yes</alert_new_files>
           <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
           <directories check_all="yes">/bin,/sbin</directories>
        </syscheck>

    </localfile>
</agent_config>

<agent_config os="Windows">
    <localfile>
        <location>C:\myapp\my.log</location>
        <log_format>syslog</log_format>

        <syscheck>
           <frequency>7200</frequency>
           <auto_ignore>no</auto_ignore>
           <alert_new_files>yes</alert_new_files>
             <directories check_all="yes">ProgramFiles</directories>
             <directories check_all="yes">ProgramFiles(x86)</directories>
             <directories check_all="yes">System32 </directories>
             <directories check_all="yes">SysWOW64</directories>
        </syscheck>
    </localfile>
</agent_config>
JuliaVI
  • 13
  • 3

1 Answers1

1

It seems interesting you ran into the same case I did.

You can follow these steps:

  1. Create a new config file on the server/manager: vim /var/ossec/etc/shared/agent.conf
  2. Place configuration in that file you want to be merged on clients/agents.
  3. Save it (Press : then wq and enter).
  4. Get the current hash of the config via md5sum /var/ossec/etc/shared/agent.conf
  5. Inspect the agent 001's config via /var/ossec/bin/agent_control -i 001
  6. When the agent received the configuration, the “Client Version” field will have the md5sum of the agent.conf file.

You will however find that it will not work on Windows agents. Linux agents might be a different story. If you are interested, you can see the pain I went through:

https://serverfault.com/questions/877991/ossec-windows-agent-fails-to-sync-configuration

dark_st3alth
  • 3,052
  • 8
  • 23
  • Ouch! After going through all the chain of facts, man i fell your pain...Thank you for answering. It really helped me to understand what i was doing and just in time to open my eyes for a huge problem i was in front of. It was really helpful, thanks so much. – JuliaVI Oct 23 '17 at 14:20