Changes

Jump to navigation Jump to search

User talk:Mmccarn (view source)

Revision as of 14:11, 22 January 2018

1,456 bytes added ,  14:11, 22 January 2018
m
update time stamp
Line 1: Line 1: −
=[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 16:33, 26 November 2017 (CET)=
+
=[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) [[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 13:10, 22 January 2018 (CET) =
 
==Wazuh==
 
==Wazuh==
 
===Repo===
 
===Repo===
 
  <nowiki>/sbin/e-smith/db yum_repositories set wazuh repository \
 
  <nowiki>/sbin/e-smith/db yum_repositories set wazuh repository \
Name 'CentOS-$releasever - Wazuh' \
+
Name 'Wazuh repository' \
BaseURL 'https://packages.wazuh.com/yum/el/$releasever/$basearch' \
+
BaseURL 'https://packages.wazuh.com/3.x/yum/' \
MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-$releasever&arch=$basearch' \
   
EnableGroups no \
 
EnableGroups no \
 
GPGCheck yes \
 
GPGCheck yes \
Line 11: Line 10:  
Visible no \
 
Visible no \
 
status disabled</nowiki>
 
status disabled</nowiki>
 +
 
===Agent Configuration===
 
===Agent Configuration===
The [https://documentation.wazuh.com/2.0/installation-guide/installing-wazuh-agent/wazuh_agent_rpm.html Wazuh Client Installation Instructions] say to use '''yum install wazuh-agent''', but this does not work...
+
[https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_rpm.html Wazuh Client Installation Instructions]  
 +
 
 +
Wazuh 3.x installs correctly from the yum repository:
 +
yum --enablerepo=wazuh install wazuh-agent
 +
 
 +
Create the client account on the wazuh manager:
 +
/var/ossec/bin/agent-auth -m [ip.of.wazuh.server]
 +
 
 +
Replace "MANAGER_IP" with the IP address of the wazuh manager in this section of /var/ossec/etc/ossec.conf:
 +
<nowiki>...
 +
<client>
 +
    <server>
 +
      <address>MANAGER_IP</address>
 +
    </server>
 +
    <config-profile>rhel, rhel6</config-profile>
 +
</client>
 +
...
 +
</nowiki>
 +
 
 +
Start the agent
 +
/etc/init.d/wazuh-agent start
 +
 
 +
===SME Customizations===
 +
I added these instructions to /var/ossec/etc/ossec.conf:
 +
<nowiki>  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/dovecot/current</location>
 +
  </localfile>
 +
 
 +
  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/tinydns/current</location>
 +
  </localfile>
 +
  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/dnscache/current</location>
 +
  </localfile>
 +
 
 +
  <localfile>
 +
    <log_format>command</log_format>
 +
    <command>grep -h logterse /var/log/*qpsmtpd/current</command>
 +
    <alias>s/qpsmtpd</alias>
 +
    <frequency>360</frequency>
 +
  </localfile>
 +
</nowiki>
    +
And this instruction to /var/ossec/etc/local_internal_options.conf:
 +
<nowiki># from https://documentation.wazuh.com/2.0/user-manual/reference/ossec-conf/localfile.html
 +
# 'it may not be permissible in all environments to allow the Wazuh manager to run
 +
#  arbitrary commands on agents in their root security context.'
 +
logcollector.remote_commands=1
 +
</nowiki>
    +
And restarted the agent using
 +
/etc/init.d/wazuh-agent restart
    
=Older=
 
=Older=
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/34195...34369"

Navigation menu