I added FIM realtime configuration in Wazuh manager ossec.conf and got it restart with command "systemctl restart wazuh-agent", I tried to add new files in both Wazuh manager server and one of the Wazuh agent servers, the FIM only detected Wazuh manager server added new file but not for Wazuh agent server.
Asked
Active
Viewed 892 times
1 Answers
1
The ossec.conf file is a local configuration file that only affects the machine that it is running on.
Bear in mind that the Wazuh manager monitors itself so, aside from determining how it will analyze events coming from all endpoints being monitored, the manager's ossec.conf also allows you change what is going to be monitored on the manager as if it were an agent itself.
You may use Agent Groups (Relevant documentation can be found here) to append configuration to the monitored endpoints by adding additional items into a group's agent.conf file.
For example, by default all agents are part of the default group, so you may configure all agents to monitor the /critical-files folder by changing the /var/ossec/etc/shared/default/agent.conf file to be:
<agent_config>
<syscheck>
<directories>/critical-files</directories>
</syscheck>
</agent_config>
Note that this will not replace the local configuration that by default monitor folders like /etc,/usr/bin,/bin,/sbin and /boot unless the folder you specify in the centralized configuration is one of these.
In case of conflict the precedence makes it so the configuration shared through the agent groups will prevail over the local configuration.
JunCTionS
- 442
- 5
- 13