[ossec-list] Update Wazuh with standard Ossec files

[Alejandro M]

Hello all. I just installed the Wazuh fork in a server but after a bit of 
tinkering, I realized there were issues between a previously installed 
agent and this server. 

After searching for information, it seems the error is that the agent 
version(2.8.3) is newer than what what comes with Wazuh which apparently is 
2.8 and it causes a conflict. 

Could I update Wazuh's OSSEC with the official ossec files so the server 
matches the agent, without risk of losing my configurations(logstash, etc) 
or I just should use the Wazuh files for agent installation?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Maximum Number of Agents Allowed

[jonathan . ringler]

Is there a way to set the max number of agents without recompiling the 
installer?

On Saturday, August 20, 2011 at 11:01:06 PM UTC-4, Michael Starks wrote:
>
> On 08/18/2011 07:52 AM, Swartz, Patrick H wrote:
> > That is the default maximum, however it is modifiable by going into the
> > /src directory (of the install package) and running "make setmaxagents",
> > this will prompt you asking for a new maximum value.
> > You will then need to recompile to take advantage of the new value.
> > We currently use 4096 (with close to 2000 active agents) with no issues.
> >
> > Patrick Swartz
>
> I would also recommend some OS tuning with that many agents: 
> http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: System Integrity Check questions

[Nikki S]

Thank you Dan! 

On Wednesday, January 18, 2017 at 3:27:57 PM UTC-5, Nikki S wrote:
>
> Hi, 
>
> I have a couple of questions regarding FIM/System Integrity check. I'm 
> hoping this would help others as well starting off with OSSEC. 
>
>- When a new agent is installed does it run the system integrity check 
>automatically? or does the  option needs to be enabled? 
>- I have kept the default for scan frequency (20 hours). How can I 
>verify if the Integrity scan actually did run?
>- I get "** No entries found" when the command - syscheck_control -i 
>   agentID is executed 
>   - If I see the agent name under /var/ossec/queue/syscheck can I 
>   assume that an initial scan was run on the system?
>- Do I need to setup a time for the scan to happen?  
>- Can I stagger the scan time for the agents? aka create groups by 
>agent name and scan them at different times?
>
>
> Thank you again for the guidance! 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Profiles and agents

[dan (ddp)]

On Fri, Jan 20, 2017 at 8:25 AM, Kat  wrote:
> I already did. :-)
> #1027
>

Thanks, I missed it. It's been merged.

> On Thursday, January 19, 2017 at 12:15:14 PM UTC-6, dan (ddpbsd) wrote:
>>
>> On Tue, Jan 17, 2017 at 3:06 PM, Kat  wrote:
>> > The problem is simple - the install.sh is where this is taken care of,
>> > but
>> > no one ever bothered to add the code when they added the variable of
>> > USER_AGENT_CONFIG_PROFILE.
>> >
>>
>> If you submit a pull request I'll bother with it right now.
>>
>> > Take a look at install.sh and find the top bit of code here -- and you
>> > will
>> > see the part I added to fix the PROFILE:
>> >
>> > echo "" > $NEWCONFIG
>> >
>> > echo "  " >> $NEWCONFIG
>> >
>> > if [ "X${IP}" != "X" ]; then
>> >
>> > echo "$IP" >> $NEWCONFIG
>> >
>> > elif [ "X${HNAME}" != "X" ]; then
>> >
>> > echo "$HNAME" >>
>> > $NEWCONFIG
>> >
>> > fi
>> >
>> > # add this block to check for and add a preset profile name for the
>> > agent (from preloaded-vars.conf)
>> >
>> > if [ "$X{USER_AGENT_CONFIG_PROFILE}" != "X" ]; then
>> >
>> >  PROFILE=${USER_AGENT_CONFIG_PROFILE}
>> >
>> >  echo "$PROFILE" >>
>> > $NEWCONFIG
>> >
>> > fi
>> >
>> > # end of added PROFILE block
>> >
>> > echo "  " >> $NEWCONFIG
>> >
>> > echo "" >> $NEWCONFIG
>> >
>> >
>> > Cheers
>> > Kat
>> >
>> > On Thursday, January 22, 2015 at 4:09:42 AM UTC-6, Slobodan Aleksić
>> > wrote:
>> >>
>> >> Hello list,
>> >>
>> >> I am having trouble setting up agent's ossec.conf by the install.sh
>> >> script correctly.
>> >> Setting "USER_AGENT_CONFIG_PROFILE" in "preloaded-vars.conf" to
>> >> something, doesn't create a  setting in ossec.conf ..
>> >>
>> >> Another thing: How to get a minimal ossec.conf on agents autmatically.
>> >> So that only server and profile settings are kept in ossec.conf and all
>> >> the rest only in agent.conf ?
>> >>
>> >> Thanks in advance
>> >>
>> >>
>> >> --
>> >> Slobodan
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Profiles and agents

[Kat]

I already did. :-) 
#1027

On Thursday, January 19, 2017 at 12:15:14 PM UTC-6, dan (ddpbsd) wrote:
>
> On Tue, Jan 17, 2017 at 3:06 PM, Kat  
> wrote: 
> > The problem is simple - the install.sh is where this is taken care of, 
> but 
> > no one ever bothered to add the code when they added the variable of 
> > USER_AGENT_CONFIG_PROFILE. 
> > 
>
> If you submit a pull request I'll bother with it right now. 
>
> > Take a look at install.sh and find the top bit of code here -- and you 
> will 
> > see the part I added to fix the PROFILE: 
> > 
> > echo "" > $NEWCONFIG 
> > 
> > echo "  " >> $NEWCONFIG 
> > 
> > if [ "X${IP}" != "X" ]; then 
> > 
> > echo "$IP" >> $NEWCONFIG 
> > 
> > elif [ "X${HNAME}" != "X" ]; then 
> > 
> > echo "$HNAME" >> 
> $NEWCONFIG 
> > 
> > fi 
> > 
> > # add this block to check for and add a preset profile name for the 
> > agent (from preloaded-vars.conf) 
> > 
> > if [ "$X{USER_AGENT_CONFIG_PROFILE}" != "X" ]; then 
> > 
> >  PROFILE=${USER_AGENT_CONFIG_PROFILE} 
> > 
> >  echo "$PROFILE" >> 
> $NEWCONFIG 
> > 
> > fi 
> > 
> > # end of added PROFILE block 
> > 
> > echo "  " >> $NEWCONFIG 
> > 
> > echo "" >> $NEWCONFIG 
> > 
> > 
> > Cheers 
> > Kat 
> > 
> > On Thursday, January 22, 2015 at 4:09:42 AM UTC-6, Slobodan Aleksić 
> wrote: 
> >> 
> >> Hello list, 
> >> 
> >> I am having trouble setting up agent's ossec.conf by the install.sh 
> >> script correctly. 
> >> Setting "USER_AGENT_CONFIG_PROFILE" in "preloaded-vars.conf" to 
> >> something, doesn't create a  setting in ossec.conf .. 
> >> 
> >> Another thing: How to get a minimal ossec.conf on agents autmatically. 
> >> So that only server and profile settings are kept in ossec.conf and all 
> >> the rest only in agent.conf ? 
> >> 
> >> Thanks in advance 
> >> 
> >> 
> >> -- 
> >> Slobodan 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.