Centralized agent configuration

If you wanted to be able to configure your agents remotely, you will be happy to know that we are supporting it now. Right now, we allow centralized configuration for file integrity checking (syscheckd), rootkit detection (rootcheck) and log analysis.

This is how it works.

Create the file /var/ossec/etc/shared/agent.conf

Inside the file you can configure the agent just as you would normally at ossec.conf

<agent_config>
<localfile>
<location>/var/log/my.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

But you have a few more options. You can restrict the config by agent name or by operating system:

<agent_config name=”agent1|agent2″>
<localfile>
<location>/var/log/my.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

<agent_config os=”Linux|OpenBSD”>
<localfile>
<location>/var/log/my.log2</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

<agent_config os=”Windows”>
<localfile>
<location>C:myappmy.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

And only the proper agent will read them, giving us great granularity to push the configuration to all your agents.

After you configured, the manager will push it to the agents. Note that it can take a while for it to complete (since the manager caches the shared files and only re-reads them every few hours). If you restart the manager the configuration will be pushed much quicker.

Leave a Reply

Your email address will not be published. Required fields are marked *