赞
踩
This agent component can read flat log files and Windows events, collecting operating system and application log messages. It does support XPath filters for Windows events and recognizes multi-line formats (e.g. Linux Audit logs). It can also enrich JSON events with additional metadata.
ossec.conf
(agent)或agent.conf
(manager)中配置:
<localfile>
<log_format>json</log_format>
<location>/test/json_log</location>
</localfile>
syslog
、json
、full_command
等(更多见log_format)/var/log/*.log
C:\Windows\app\log-%y-%m-%d.log
%SystemDrive%\inetpub\logs\LogFiles\W3SVC1\u_ex%y%m%d.log
<socket>...</socket>
使用。Agents can run authorized commands periodically, collecting their output and reporting it back to the Wazuh server for further analysis. This module can be used to meet different purposes (e.g. monitoring hard disk space left, getting a list of last logged in users, etc.).
agent端
需要在/var/ossec/etc/local_internal_options.conf
添加wazuh_command.remote_commands=1
manager/agent端
ossec.conf
(agent)或agent.conf
(manager)中配置:
<localfile>
<log_format>full_command</log_format>
<command>.....</command>
<frequency>120</frequency>
</localfile>
This module monitors the file system, reporting when files are created, deleted, or modified. It keeps track of file attributes, permissions, ownership, and content. When an event occurs, it captures who, what, and when details in real time. Additionally, this module builds and maintains a database with the state of the monitored files, allowing queries to be run remotely.
在ossec.conf
或agent.conf
中配置:
<syscheck>
<frequency>36000</frequency>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
...
</syscheck>
,
)或多行(多directories标签)8:30
)或到小时(如9pm
)thursday
This component provides continuous configuration assessment, utilizing out-of-the-box checks based on the Center of Internet Security (CIS) benchmarks. Users can also create their own SCA checks to monitor and enforce their security policies.
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
This agent module periodically runs scans, collecting inventory data such as operating system version, network interfaces, running processes, installed applications, and a list of open ports. Scan results are stored into local SQLite databases that can be queried remotely.
Using a non-signature based approach, this component is capable of detecting anomalies and possible presence of rootkits. Monitoring system calls, it looks for hidden processes, hidden files, and hidden ports.
This agent module is integrated with the Docker Engine API in order to monitor changes in a containerized environment. For example, it detects changes to container images, network configuration, or data volumes. Besides, it alerts on containers running in privileged mode and on users executing commands in a running container.
This agent module is integrated with the Docker Engine API in order to monitor changes in a containerized environment. For example, it detects changes to container images, network configuration, or data volumes. Besides, it alerts on containers running in privileged mode and on users executing commands in a running container.
This component monitors cloud providers such as Amazon AWS, Microsoft Azure, or Google GCP. It natively communicates with their APIs. It is capable of detecting changes to the cloud infrastructure (e.g. a new user is created, a security group is modified, a cloud instance is stopped, etc.), and collecting cloud services log data (e.g. AWS Cloudtrail, AWS Macie, AWS GuardDuty, Azure Active Directory, etc.)
修改配置
vim /var/ossec/etc/ossec.conf
修改<server>
标签的<address>
为manager的ip
<ossec_config>
<client>
<server>
<address>${manager_ip}</address>
<port>1514</port>
<protocol>tcp</protocol>
...
认证
/var/ossec/bin/agent-auth -m ${manager_ip} -p ${manager_port} -A ${agent_name}
重启
/var/ossec/bin/ossec-control restart
/var/ossec/etc/ossec.conf
C:\Program Files (x86)\ossec-agent\ossec.conf
对agent进行远程的分组的管理。
该功能需要在agent端启用:在agent的/var/ossec/etc/local_internal_options.conf
文件中,添加wazuh_command.remote_commands=1
/var/ossec/etc/shared/*/agent.conf
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。