moneyslow.com

Ossec 配置文件推送

moneyslow

Centralized agent configuration

If you ever wanted to be able to configure your agents remotely, you will be happy to know that starting on version 2.1 you will be able to do so. We allow centralized configuration for file integrity checking (syscheckd), rootkit detection (rootcheck) and log analysis.

This is how it works.

Create agent configuration

First Create the file /var/ossec/etc/shared/agent.conf.

Inside the file you can configure the agent just as you would normally at ossec.conf

<agent_config>
					


					<localfile>
						


					<location>/var/log/my.log</location>
								


					<log_format>syslog</log_format>
								


					</localfile>
						

</agent_config>

But you have a few more options. You can restrict the config by agent name, operating system, or profile:

<agent_config
						name="agent1">
								


					<localfile>
						


					<location>/var/log/my.log</location>
								


					<log_format>syslog</log_format>
								


					</localfile>
						

</agent_config>

 

<agent_config
						os="Linux">
								


					<localfile>
						


					<location>/var/log/my.log2</location>
								


					<log_format>syslog</log_format>
								


					</localfile>
						

</agent_config>

 

<agent_config
						os="Windows">
								


					<localfile>
						


					<location>C:myappmy.log</location>
								


					<log_format>syslog</log_format>
								


					</localfile>
						

</agent_config>

And only the proper agent will read them, giving us great granularity to push the configuration to all your agents.

After you configured, the manager will push it to the agents. Note that it can take a while for it to complete (since the manager caches the shared files and only re-reads them every few hours). If you restart the manager the configuration will be pushed much quicker.

Restart the agent

Once the configuration file is pushed, you can run the command agent_control to see if the agent received the config and restart the agent remotely.

# md5sum /var/ossec/etc/shared/agent.conf


MD5 (/var/ossec/etc/shared/agent.conf) = ee1882236893df851bd9e4842007e7e7
					

# /var/ossec/bin/agent_control -i 200

 

OSSEC HIDS agent_control. Agent information:
					

Agent ID: 200
					

Agent Name: ourhome
					

IP address: 192.168.0.0/16
					

Status: Active

 

Operating system: Linux ourhome 2.6.24-23-generic #1 SMP Mon Jan 26 00..
					

Client version: OSSEC HIDS v2.1 / ee1882236893df851bd9e4842007e7e7
					

Last keep alive: Tue Jun 30 08:29:17 2009

 

Syscheck last started at: Tue Jun 30 04:29:32 2009
					

Rootcheck last started at: Tue Jun 30 06:03:08 2009

When the agent received the configuration, the "Client Version" field will have the md5sum of the agent.conf file.

Note

Linux systems generally use md5sum, but other systems may use md5 as the name of the application to check the hash of the file.

To restart the agent:

# /var/ossec/bin/agent_control -R 200
								(where 200 is the agent id)

 

OSSEC HIDS agent_control: Restarting agent: 200
Exit mobile version