ossec.conf is present on both server and agents, and agent.conf is a file you can create on the server to have configurations pushed out to clients, possibly based on agent host name or OS type.
Default locations are /var/ossec/etc/ossec.conf, and /var/ossec/etc/shared/agent.conf
Official Documentation is here.
The OSSEC server manager only re-reads configuration files every few hours, so restarting the manager will push the configuration files more quickly. Once the configuration is pushed, run agent_control to ensure the configuration was pushed:
agent_control -i 002 #assuming 002 is the id of the agent
And then restart the agent remotely:
agent_control -R 002#assuming 002 is the id of the agent
Sample configuration sections:
File Integrity Monitoring
<agent_config os="Windows"> <syscheck> <directories check_all="yes">C:\ossec_test</directories> <scan_time>10am</scan_time> <scan_day>friday</scan_day> <frequency>360</frequency>
</syscheck> </agent_config>
Note: All queries are recursive, so only the directory must be specified. You do not need to specify all the files within the directory to monitor the directory contents.
To run syscheck manually on all agents:
/var/ossec/bin/agent_control -r -a
To run syscheck manually on agent 002:
/var/ossec/bin/agent_control -r -u 002
Rootkit Detection
<agent_config name="agent1"> <rootcheck> <location>/var/log/my.log</location> <log_format>syslog</log_format> </rootcheck> </agent_config>
Log Analysis
<agent_config os="Linux"> <localfile> <location>/var/log/my.log</location> <log_format>syslog</log_format> </localfile> </agent_config>
No comments:
Post a Comment