Changing the default name of the syscheck agent files

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

http://www.ossec.net

Other

4.42k stars 1.03k forks source link

Changing the default name of the syscheck agent files #1355

Closed GuillaumeOrlando closed 5 years ago

GuillaumeOrlando commented 6 years ago

Hi,

I am building a script for monitoring file integrity in multiple cluster of ossec agents, but I have some trouble with the names that are given by default to the agent, in the /var/ossec/queue/syscheck/ directory. By default, on the ossec server, it's something like '(Agent_Name) IP -> syscheck '. I need to change this for all of the new agents, but i didn't found where to do that ...

Ideally, the syscheck files should have the same name as the agents.

Any idea ?

Thanks 😄

ddpbsd commented 6 years ago

A guess off the top of my head, it would be somewhere in https://github.com/ossec/ossec-hids/blob/master/src/analysisd/decoders/syscheck.c

GuillaumeOrlando commented 6 years ago

Well, i managed to solve this with these lines of bash =

if [ -e "/var/ossec/queue/syscheck/.(${1}) ${IPADDR}->syscheck.cpt" ]; then mv "/var/ossec/queue/syscheck/.(${1}) ${IPADDR}->syscheck.cpt" \ "/var/ossec/queue/syscheck/.${2}" fi

It's not as practical as i thought, but it work !