Changes

Jump to navigation Jump to search

User talk:Mmccarn (view source)

Revision as of 14:11, 22 January 2018

822 bytes added ,  14:11, 22 January 2018
m
update time stamp
Line 1: Line 1: −
=[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 16:33, 26 November 2017 (CET)=
+
=[[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) [[User:Mmccarn|Mmccarn]] ([[User talk:Mmccarn|talk]]) 13:10, 22 January 2018 (CET) =
 
==Wazuh==
 
==Wazuh==
 
===Repo===
 
===Repo===
 
  <nowiki>/sbin/e-smith/db yum_repositories set wazuh repository \
 
  <nowiki>/sbin/e-smith/db yum_repositories set wazuh repository \
Name 'CentOS-$releasever - Wazuh' \
+
Name 'Wazuh repository' \
BaseURL 'https://packages.wazuh.com/yum/el/$releasever/$basearch' \
+
BaseURL 'https://packages.wazuh.com/3.x/yum/' \
MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-$releasever&arch=$basearch' \
   
EnableGroups no \
 
EnableGroups no \
 
GPGCheck yes \
 
GPGCheck yes \
Line 11: Line 10:  
Visible no \
 
Visible no \
 
status disabled</nowiki>
 
status disabled</nowiki>
 +
 
===Agent Configuration===
 
===Agent Configuration===
The [https://documentation.wazuh.com/2.0/installation-guide/installing-wazuh-agent/wazuh_agent_rpm.html Wazuh Client Installation Instructions] say to use '''yum install wazuh-agent''' (which, since the repo created above is disabled by default, would need to be '''yum --enablerepo=wazuh install wazuh-agent''' on a SME server), but this does not work...
+
[https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_rpm.html Wazuh Client Installation Instructions]  
   −
Instead, I had to download the rpm and do use localinstall
+
Wazuh 3.x installs correctly from the yum repository:
  <nowiki>mkdir -p ~/wazuh
+
  yum --enablerepo=wazuh install wazuh-agent
cd ~/wazuh
+
 
wget https://packages.wazuh.com/yum/rhel/6Server/x86_64/wazuh-agent-2.0.1-1.rhel6.x86_64.rpm
+
Create the client account on the wazuh manager:
yum --enablerepo=wazuh localinstall wazuh-agent-2.0.1-1.rhel6.x86_64.rpm
+
/var/ossec/bin/agent-auth -m [ip.of.wazuh.server]
/var/ossec/bin/agent-auth -m <Ip.of.wazuh.srvr>
+
 
 +
Replace "MANAGER_IP" with the IP address of the wazuh manager in this section of /var/ossec/etc/ossec.conf:
 +
<nowiki>...
 +
<client>
 +
    <server>
 +
      <address>MANAGER_IP</address>
 +
    </server>
 +
    <config-profile>rhel, rhel6</config-profile>
 +
</client>
 +
...
 
</nowiki>
 
</nowiki>
   −
You also need to enter "Ip.of.wazuh.srvr" into <server-ip>...</server-ip> in this file:
+
Start the agent
  /var/ossec/etc/ossec.conf
+
  /etc/init.d/wazuh-agent start
   −
Then start the agent
+
===SME Customizations===
/etc/init.d/wazuh-agent start
+
I added these instructions to /var/ossec/etc/ossec.conf:
 +
<nowiki>  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/dovecot/current</location>
 +
  </localfile>
 +
 
 +
  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/tinydns/current</location>
 +
  </localfile>
 +
  <localfile>
 +
    <log_format>djb-multilog</log_format>
 +
    <location>/var/log/dnscache/current</location>
 +
  </localfile>
 +
 
 +
  <localfile>
 +
    <log_format>command</log_format>
 +
    <command>grep -h logterse /var/log/*qpsmtpd/current</command>
 +
    <alias>s/qpsmtpd</alias>
 +
    <frequency>360</frequency>
 +
  </localfile>
 +
</nowiki>
    +
And this instruction to /var/ossec/etc/local_internal_options.conf:
 +
<nowiki># from https://documentation.wazuh.com/2.0/user-manual/reference/ossec-conf/localfile.html
 +
# 'it may not be permissible in all environments to allow the Wazuh manager to run
 +
#  arbitrary commands on agents in their root security context.'
 +
logcollector.remote_commands=1
 +
</nowiki>
    +
And restarted the agent using
 +
/etc/init.d/wazuh-agent restart
    
=Older=
 
=Older=
Retrieved from "https://wiki.koozali.org/Special:MobileDiff/34196...34369"

Navigation menu