Pedro, You sir, are a gentleman. I feel bad for not testing out my scenario to find the answer myself, without bothering you. Thank you for confirming my suspicions - I can write my agent.conf accordingly.
Your English is many times better than my Spanish. ;-) James On Thursday, February 11, 2016 at 12:21:46 PM UTC, James Glaves wrote: > > Hi, > I push out OSSEC configuration to all our Windows agents using shared > agent.conf. I have a question about how the agent interprets the different > options: > > <agent_config name="agent1"> > <agent_config os="Windows"> > > What isn't clear to me, will "agent1" match only the first agent_config it > finds? Or will it continue through all the agent_config's and combine the > results? > > For example, can I combine agent-specific configuration which applies to > agent1 only with standard Windows configuration that applies to all Windows > agents. Or do I need to include all the standard Windows configuration > together with the specific configuration in the single named agent_config? > > Example, will this work? Will "agent4" combine IIS, Exchange, and Windows > rules? > > <!-- Specific config for End User Desktop's --> > <agent_config name="agent1|agent2|agent3"> > <syscheck> > <directories check_all="yes">%PROGRAMFILES%/Application > XYZ</directories> > </syscheck> > </agent_config> > > <!-- Specific config for IIS Server's --> > <agent_config name="agent4|agent5"> > <localfile> > <location>%WinDir%\System32\LogFiles\W3SVC1\u_ex%y%m%d.log</location> > <log_format>iis</log_format> > </localfile> > </agent_config> > > <!-- Specific config for Exchange Server's --> > <agent_config name="agent4"> > <localfile> > <location>F:\Connectivity Logs\CONNECTLOG%Y%m%d-1.LOG</location> > <log_format>iis</log_format> > </localfile> > </agent_config> > > <!-- General Windows config for all Windows agents --> > <agent_config os="Windows"> > <localfile> > <location>Application</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > > <localfile> > <location>System</location> > <log_format>eventlog</log_format> > </localfile> > </agent_config> > > Thanks, > jjrbg > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
