Re: [ossec-list] How to collect only syscheck and rootcheck logs

Fri, 15 Sep 2017 05:57:11 -0700 

I turned them OFF this way.

I am assuming you can declare just these options with no logging location 
and you will have the reverse of my config

  <agent_config name="example_server_name">
    <rootcheck>
      <disabled>yes</disabled>
      <check_winmalware>no</check_winmalware>
      <check_sys>no</check_sys>
    </rootcheck>
    <syscheck>
      <auto_ignore>yes</auto_ignore>
      <alert_new_files>no</alert_new_files>
      <scan_on_start>no</scan_on_start>
      <registry_ignore>HKEY_LOCAL_MACHINE</registry_ignore>
      <registry_ignore>HKEY_USERS</registry_ignore>
      <registry_ignore>HKEY_CURRENT_CONFIG</registry_ignore>
      <registry_ignore>HKEY_CURRENT_USER</registry_ignore>
      <registry_ignore>HKEY_CLASSES_ROOT</registry_ignore>
    </syscheck>
  </agent_config>


Grant
On Thursday, September 14, 2017 at 9:38:48 AM UTC-4, dan (ddpbsd) wrote:
>
> On Tue, Sep 12, 2017 at 12:09 AM, vikas <srihar...@gmail.com <javascript:>> 
> wrote: 
> > Hi All, 
> > 
> > I am trying to collect only syscheck and rootcheck logs, and not the 
> > eventlogs in windows or any other log files in unix. I see some /var/log 
> > file locations declared in ossec.conf for linux that I can comment out, 
> but 
> > don't see an option to turn off the log collection for windows. The 
> > application, security and system logs are specified in 
> default-ossec.conf on 
> > the agent. How can I stop collecting these logs without having to touch 
> each 
> > agent? 
> > 
>
> If you want to turn off the collection of logs on each agent, you'll 
> have to touch each agent. 
> I think removing the localfile options should be enough, but I haven't 
> tried it. 
>
> > Thanks, 
> > Vikas. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to