Line 1: |
Line 1: |
− | =[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 16:33, 26 November 2017 (CET)= | + | =[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) [[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 13:10, 22 January 2018 (CET) = |
| ==Wazuh== | | ==Wazuh== |
| ===Repo=== | | ===Repo=== |
| <nowiki>/sbin/e-smith/db yum_repositories set wazuh repository \ | | <nowiki>/sbin/e-smith/db yum_repositories set wazuh repository \ |
− | Name 'CentOS-$releasever - Wazuh' \ | + | Name 'Wazuh repository' \ |
− | BaseURL 'https://packages.wazuh.com/yum/el/$releasever/$basearch' \ | + | BaseURL 'https://packages.wazuh.com/3.x/yum/' \ |
− | MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-$releasever&arch=$basearch' \
| |
| EnableGroups no \ | | EnableGroups no \ |
| GPGCheck yes \ | | GPGCheck yes \ |
Line 11: |
Line 10: |
| Visible no \ | | Visible no \ |
| status disabled</nowiki> | | status disabled</nowiki> |
| + | |
| ===Agent Configuration=== | | ===Agent Configuration=== |
− | The [https://documentation.wazuh.com/2.0/installation-guide/installing-wazuh-agent/wazuh_agent_rpm.html Wazuh Client Installation Instructions] say to use '''yum install wazuh-agent''', but this does not work...
| + | [https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_rpm.html Wazuh Client Installation Instructions] |
| + | |
| + | Wazuh 3.x installs correctly from the yum repository: |
| + | yum --enablerepo=wazuh install wazuh-agent |
| + | |
| + | Create the client account on the wazuh manager: |
| + | /var/ossec/bin/agent-auth -m [ip.of.wazuh.server] |
| + | |
| + | Replace "MANAGER_IP" with the IP address of the wazuh manager in this section of /var/ossec/etc/ossec.conf: |
| + | <nowiki>... |
| + | <client> |
| + | <server> |
| + | <address>MANAGER_IP</address> |
| + | </server> |
| + | <config-profile>rhel, rhel6</config-profile> |
| + | </client> |
| + | ... |
| + | </nowiki> |
| + | |
| + | Start the agent |
| + | /etc/init.d/wazuh-agent start |
| + | |
| + | ===SME Customizations=== |
| + | I added these instructions to /var/ossec/etc/ossec.conf: |
| + | <nowiki> <localfile> |
| + | <log_format>djb-multilog</log_format> |
| + | <location>/var/log/dovecot/current</location> |
| + | </localfile> |
| + | |
| + | <localfile> |
| + | <log_format>djb-multilog</log_format> |
| + | <location>/var/log/tinydns/current</location> |
| + | </localfile> |
| + | <localfile> |
| + | <log_format>djb-multilog</log_format> |
| + | <location>/var/log/dnscache/current</location> |
| + | </localfile> |
| + | |
| + | <localfile> |
| + | <log_format>command</log_format> |
| + | <command>grep -h logterse /var/log/*qpsmtpd/current</command> |
| + | <alias>s/qpsmtpd</alias> |
| + | <frequency>360</frequency> |
| + | </localfile> |
| + | </nowiki> |
| | | |
| + | And this instruction to /var/ossec/etc/local_internal_options.conf: |
| + | <nowiki># from https://documentation.wazuh.com/2.0/user-manual/reference/ossec-conf/localfile.html |
| + | # 'it may not be permissible in all environments to allow the Wazuh manager to run |
| + | # arbitrary commands on agents in their root security context.' |
| + | logcollector.remote_commands=1 |
| + | </nowiki> |
| | | |
| + | And restarted the agent using |
| + | /etc/init.d/wazuh-agent restart |
| | | |
| =Older= | | =Older= |