Hey, I have tried same with 2 profiles and restarted agents and master and added some files in the monitoring directories and I have got some email alerts for the added files. Now I believe that this <config_profile> is working.
I have one more question !! will the rules in /var/ossec/rules/ still apply to the agents right ? what I'm trying is I have 5 static machines and 5 dynamic machines now I need to be able to vary rules based on profile. Is it possible ? For example if I login to my static machine and do a sudo for the first time I should get an email alert and if I login to my dynamic agent and do a sudo for the first time I should not get the email alert ! Thanks On Friday, June 22, 2018 at 12:36:05 AM UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Jun 21, 2018 at 2:45 PM, Vinay Vanama <[email protected] > <javascript:>> wrote: > > So now how can we ensure that this <config_profile> is working ? > > > > Ok, I created an agent.conf: > ix# more /var/ossec/etc/shared/agent.conf > <agent_config profile="tester"> > <syscheck> > <directories check_all="yes">/var/test</directories> > </syscheck> > </agent_config> > > It got pushed to an agent. I configured that agent to use the profile: > junction# more /var/ossec/etc/ossec.conf > <ossec_config> > <client> > <server-hostname>ix.example.com</server-hostname> > <config-profile>tester</config-profile> > </client> > > I restarted the agent and checked the log: > junction# grep 'var/test' /var/ossec/logs/ossec.log > 2018/06/21 14:58:52 ossec-syscheckd(1701): WARN: No option provided > for directories: '/var/test', ignoring it. > 2018/06/21 14:59:24 ossec-syscheckd(1701): WARN: No option provided > for directories: '/var/test', ignoring it. > 2018/06/21 14:59:59 ossec-syscheckd: INFO: Monitoring directory: > '/var/test', with options perm | size | owner | group | md5sum | > sha256sum. > > You can see my failed attempts at setting this up the first couple of > times. I got it right on the third try. > Now this agent already has some <directories> entries, so I'll have to > try it again without them to see if it still works. > > After removing the <directories> entries from the 's ossec.conf and > restarting, I still see the message about '/var/test': > 2018/06/21 15:03:59 ossec-syscheckd: INFO: Monitoring directory: > '/var/test', with options perm | size | owner | group | md5sum | > sha256sum. > > The agent.conf was updated on the agent, restarted, and see: > 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: > '/var/test', with options perm | size | owner | group | md5sum | > sha256sum. > 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: > '/etc', with options perm | size | owner | group | md5sum | sha256sum. > 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: > '/usr/bin', with options perm | size | owner | group | md5sum | > sha256sum. > 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: > '/usr/sbin', with options perm | size | owner | group | md5sum | > sha256sum. > 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: > '/bin', with options perm | size | owner | group | md5sum | sha256sum. > 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: > '/sbin', with options perm | size | owner | group | md5sum | > sha256sum. > 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: > '/boot', with options perm | size | owner | group | md5sum | > sha256sum. > 2018/06/21 15:05:32 ossec-syscheckd: INFO: Monitoring directory: > '/var/ossec/etc/ossec.conf', with options perm | size | owner | group > | md5sum | report_changes | sha256sum. > > So, it's definitely working. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
