[ossec-list] Re: Ossec & Windows mass deployment and server based agent config?

Fri, 29 Apr 2016 08:39:21 -0700 

I am having a issue getting my servers agent.conf push to s test Windows 
agent....  as from a prior post USB Detection 
<https://groups.google.com/forum/#!topic/ossec-list/9P1wZM78jj4>  I wish to 
use the /var/ossec/etc/shared/agent.conf
to push USB detection and possibly other deployment wide logging ect.

My server side agent.conf is as soo..

-rw-r--r-- 1 root ossec 237 Apr 28 19:49 /var/ossec/etc/shared/agent.conf

<agent_config os="Windows">
<localfile>
    <log_format>full_command</log_format>
    <command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command>
    <frequency>30</frequency>
    <alias>USBDevices</alias>
  </localfile>
</agent_config>


I restarted the Ossec manager & the Windows client but after much time I 
still do not see any alteration to the Windows client side agent.conf...  i 
ran a md5sum check with this output...

02e124cb20c0a982fa571edcf5ecfce3  /var/ossec/etc/shared/agent.conf
root@alamo:/home/mis# /var/ossec/bin/agent_control -i 007

OSSEC HIDS agent_control. Agent information:
   Agent ID:   007
   Agent Name: mis41
   IP address: any/any
   Status:     Active

   Operating system:    Microsoft Windows 7 Enterprise Edition Professional 
..
   Client version:      OSSEC HIDS v2.8.3 / d41d8cd98f00b204e9800998ecf8427e
   Last keep alive:     Fri Apr 29 15:29:04 2016

   Syscheck last started  at: Fri Apr 29 15:13:54 2016
   Rootcheck last started at: Fri Apr 29 15:14:26 2016


Wondering if the Active Directory permission structure is causing issues 
with Ossec config pushes.??



On Thursday, April 28, 2016 at 6:57:30 AM UTC-5, Jacob Mcgrath wrote:
>
> I have a 200-300 workstation network and roughly 60-80 servers in either 
> heavy metal or virtual clusters.
>
>
> From what I read I can use a .cvs file with hostnames to assign Ossec keys 
> to agents in large volumes.  Has any done this / or had issues with this 
> method? 
>
> Passing down windows agent config's from the Ossec server.  Is this a real 
> world possibility?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to