Hi,
I push out OSSEC configuration to all our Windows agents using shared
agent.conf. I have a question about how the agent interprets the different
options:
<agent_config name="agent1">
<agent_config os="Windows">
What isn't clear to me, will "agent1" match only the first agent_config it
finds? Or will it continue through all the agent_config's and combine the
results?
For example, can I combine agent-specific configuration which applies to
agent1 only with standard Windows configuration that applies to all Windows
agents. Or do I need to include all the standard Windows configuration
together with the specific configuration in the single named agent_config?
Example, will this work? Will "agent4" combine IIS, Exchange, and Windows
rules?
<!-- Specific config for End User Desktop's -->
<agent_config name="agent1|agent2|agent3">
<syscheck>
<directories check_all="yes">%PROGRAMFILES%/Application
XYZ</directories>
</syscheck>
</agent_config>
<!-- Specific config for IIS Server's -->
<agent_config name="agent4|agent5">
<localfile>
<location>%WinDir%\System32\LogFiles\W3SVC1\u_ex%y%m%d.log</location>
<log_format>iis</log_format>
</localfile>
</agent_config>
<!-- Specific config for Exchange Server's -->
<agent_config name="agent4">
<localfile>
<location>F:\Connectivity Logs\CONNECTLOG%Y%m%d-1.LOG</location>
<log_format>iis</log_format>
</localfile>
</agent_config>
<!-- General Windows config for all Windows agents -->
<agent_config os="Windows">
<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
</agent_config>
Thanks,
jjrbg
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
