Is it possible to enable/disable rules remotely from Wazuh server?

Question

I have read about Centralized configuration in Wazuh. But can the rules be enabled/disabled in server instead of changing in all servers ?

score 1 · Answer 1 · answered Jul 22 '18 at 21:22

I found answer here..

Within the ossec model, the agents have no information about rules whatsoever. So, if you need to modify a rule, you need to do it on the server side.

How do you do it? If you have a rule like that (from our FAQ):

   ` <group name="local"> 
      <rule id="100101" level="0">
       <if_sid>123, 456</if_sid>
       <match>xyz</match>
      <description>Events ignored</description>
      </rule>
    </group>
`

But you only want it to apply to one agent, you need to use the "hostname" tag to limit it to the agents you want:

<group name="local">
 <rule id="100101" level="0">
   <if_sid>123, 456</if_sid>
   <match>xyz</match>
   <hostname>agent1|agent2</hostname>
   <description>Events ignored</description>
 </rule>
</group>

Hope it helps.

*http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules

Is it possible to enable/disable rules remotely from Wazuh server?

1 Answers1