On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) <ddp...@gmail.com> wrote:
>
> On Jun 22, 2012 6:16 AM, "sahil sharma" <sharmasahil0...@gmail.com> wrote:
> >>
> >>
> >> This is for configuration changes, not rules:
> >> Your choice. If you want to use the agent.conf change it there. If you
> >> have a good change management system, changing the ossec.conf might be
> >> good enough.
> >>
> >> The OSSEC server does not use the agent.conf though, so if you're
> >> setting up something for the OSSEC server it'll have to be in that
> >> system's ossec.conf.
> >>
> >
> > (1) I have added following code to
> >var>ossec>etc>shared>agent.conf
> >
>
> As is documented in the full_command documentation, this has to go in the
> agent's ossec.conf. I apologize, I forgot about this restriction.
>
>
Please, clarify on this, I have to add the following code in agent's
ossec.conf i.e I have a win7 agent so I must add it to
>c>prog_files(x86)>ossec>ossec(config) ???? If yes, then do I need to put
<agent_config os="Windows"> at start or not?
1) Do I need to remove this code from >var>ossec>etc>shared>agent.conf
where I had previously added it?
2) Changing config at client side gives unusual problem in client's ossec
agent which then display (check config:warning) when I
try to start/stop/restart the client ossec agent.
3) Whats diff in adding in these two different files?
> > <agent_config os="Windows">
> >
> > <localfile>
> > <log_format>full_command</log_format>
> > <command>reg QUERY
> HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
> > <alias>usb-check</alias>
> > </localfile>
> >
> > </agent_config>
>
> Regards,Sahil.
>
