os_family localfiles

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -93,7 +93,7 @@ wazuh_agent_config:
     ports_no: 'yes'
     processes: 'yes'
   cis_cat:
-    disable: 'no'
+    disable: 'yes'
     install_java: 'yes'
     timeout: 1800
     interval: '1d'
@@ -115,8 +115,7 @@ wazuh_agent_config:
       - 'nvd-year 2016'
       - 'autoupdate'
   localfiles:
-    - format: 'syslog'
+    debian:
-      location: '/var/ossec/logs/active-responses.log'
       - format: 'syslog'
         location: '/var/log/auth.log'
       - format: 'syslog'
@@ -125,6 +124,18 @@ wazuh_agent_config:
         location: '/var/log/dpkg.log'
       - format: 'syslog'
         location: '/var/log/kern.log'
+    centos:
+      - format: 'syslog'
+        location: '/var/log/messages'
+      - format: 'syslog'
+        location: '/var/log/secure'
+      - format: 'syslog' 
+        location: '/var/log/maillog'
+      - format: 'audit'
+        location: '/var/log/audit/audit.log'
+    common:
+      - format: 'syslog'
+        location: '/var/ossec/logs/active-responses.log'
       - format: 'command'
         command: 'df -P'
         frequency: '360'

roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2

@@ -87,13 +87,13 @@
   <syscheck>
     <disabled>no</disabled>
     {% if ansible_system == "Linux" %}
-    #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories>
+<!--    #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
     <directories check_all="yes">/bin,/sbin,/boot</directories>
     {% endif %}
 
     <auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
-    #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files>
+<!--    #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
     <!-- Frequency that syscheck is executed -- default every 20 hours -->
     <frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
     <scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
@@ -245,7 +245,7 @@
   {% endif %}
 
   <!-- Files to monitor (localfiles) -->
-    {% for localfile in wazuh_agent_config.localfiles %}
+    {% for localfile in wazuh_agent_config.localfiles.common %}
     <localfile>
         <log_format>{{ localfile.format }}</log_format>
     {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@@ -257,4 +257,31 @@
     </localfile>
   {% endfor %}
 
+    {% if ansible_os_family == "Debian" %}
+    {% for localfile in wazuh_agent_config.localfiles.debian %}
+    <localfile>
+        <log_format>{{ localfile.format }}</log_format>
+    {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+        <command>{{ localfile.command }}</command>
+        <frequency>{{ localfile.frequency }}</frequency>
+    {% else %}
+        <location>{{ localfile.location }}</location>
+    {% endif %}
+    </localfile>
+  {% endfor %}
+  {% endif %}
+
+    {% if ansible_os_family == "RedHat" %}
+    {% for localfile in wazuh_agent_config.localfiles.centos %}
+    <localfile>
+        <log_format>{{ localfile.format }}</log_format>
+    {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+        <command>{{ localfile.command }}</command>
+        <frequency>{{ localfile.frequency }}</frequency>
+    {% else %}
+        <location>{{ localfile.location }}</location>
+    {% endif %}
+    </localfile>
+  {% endfor %}
+  {% endif %}
 </ossec_config>

roles/wazuh/ansible-wazuh-manager/defaults/main.yml

@@ -181,6 +181,7 @@ wazuh_manager_config:
   log_level: 1
   email_level: 12
   localfiles:
+    common:
        - format: 'command'
          command: 'df -P'
          frequency: '360'
@@ -190,9 +191,9 @@ wazuh_manager_config:
          frequency: '360'
        - format: 'full_command'
          command: 'last -n 20'
-      frequency: '360'
        - format: 'syslog'
          location: '/var/ossec/logs/active-responses.log'
+    debian:
        - format: 'syslog'
          location: '/var/log/auth.log'
        - format: 'syslog'
@@ -201,6 +202,15 @@ wazuh_manager_config:
          location: '/var/log/dpkg.log'
        - format: 'syslog'
          location: '/var/log/kern.log'
+    centos:
+       - format: 'syslog'
+         location: '/var/log/messages'
+       - format: 'syslog'
+         location: '/var/log/secure'
+       - format: 'syslog'
+         location: '/var/log/maillog'
+       - format: 'audit'
+         location: '/var/log/audit/audit.log'
   globals:
     - '127.0.0.1'
     - '192.168.2.1'
@@ -209,10 +219,10 @@ wazuh_manager_config:
       executable: 'disable-account.sh'
       expect: 'user'
       timeout_allowed: 'yes'
-    - name: 'restart-ossec'
+    #- name: 'restart-ossec'
-      executable: 'restart-ossec.sh'
+    #  executable: 'restart-ossec.sh'
-      expect: ''
+    #  expect: ''
-      timeout_allowed: 'no'
+    #  timeout_allowed: 'no'
     - name: 'win_restart-ossec'
       executable: 'restart-ossec.cmd'
       expect: ''

roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2

@@ -398,7 +398,7 @@
 {% endif %}
 
 
-  <!-- Active Response Config -->
+  <!-- Active Response Config 
 {% for response in wazuh_manager_config.active_responses %}
   <active-response>
     <disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled>
@@ -412,9 +412,10 @@
     {%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
   </active-response>
 {% endfor %}
+-->
 
   <!-- Files to monitor (localfiles) -->
-{% for localfile in wazuh_manager_config.localfiles %}
+{% for localfile in wazuh_manager_config.localfiles.common %}
   <localfile>
      <log_format>{{ localfile.format }}</log_format>
      {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@@ -450,6 +451,82 @@
   </localfile>
 {% endfor %}
 
+{% if ansible_os_family == "Debian" %}
+{% for localfile in wazuh_manager_config.localfiles.debian %}
+  <localfile>
+     <log_format>{{ localfile.format }}</log_format>
+     {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+     <command>{{ localfile.command }}</command>
+     {% if localfile.alias is defined %}
+     <alias>{{ localfile.alias }}</alias>
+     {% endif %}
+     {% if localfile.frequency is defined %}
+     <frequency>{{ localfile.frequency }}</frequency>
+     {% endif %}
+     {% else %}
+     <location>{{ localfile.location }}</location>
+     {% if localfile.format == 'eventchannel' %}
+     {% if localfile.only_future_events is defined %}
+     <only-future-events>{{ localfile.only_future_events }}</only_future_events>
+     {% endif %}
+     {% if localfile.query is defined %}
+     <query>{{ localfile.query }}</query>
+     {% endif %}
+     {% endif %}
+     {% endif %}
+     {% if localfile.format == 'json' and localfile.labels is defined %}
+     {% for key, value in localfile.labels.iteritems() %}
+     <label key="{{ key }}">{{ value }}</label>
+     {% endfor %}
+     {% endif %}
+     {% if localfile.target is defined %}
+     <target>{{ localfile.target }}</target>
+     {% endif %}
+     {% if localfile.out_format is defined %}
+     <out_format>{{ localfile.out_format }}</out_format>
+     {% endif %}
+  </localfile>
+{% endfor %}
+{% endif %}
+
+{% if ansible_os_family == "RedHat" %}  
+{% for localfile in wazuh_manager_config.localfiles.centos %}
+  <localfile>
+     <log_format>{{ localfile.format }}</log_format>
+     {% if localfile.format == 'command' or localfile.format == 'full_command' %}
+     <command>{{ localfile.command }}</command>
+     {% if localfile.alias is defined %}
+     <alias>{{ localfile.alias }}</alias>
+     {% endif %}
+     {% if localfile.frequency is defined %}
+     <frequency>{{ localfile.frequency }}</frequency>
+     {% endif %}
+     {% else %}
+     <location>{{ localfile.location }}</location>
+     {% if localfile.format == 'eventchannel' %}
+     {% if localfile.only_future_events is defined %}
+     <only-future-events>{{ localfile.only_future_events }}</only_future_events>
+     {% endif %}
+     {% if localfile.query is defined %}
+     <query>{{ localfile.query }}</query>
+     {% endif %}
+     {% endif %}
+     {% endif %}
+     {% if localfile.format == 'json' and localfile.labels is defined %}
+     {% for key, value in localfile.labels.iteritems() %}
+     <label key="{{ key }}">{{ value }}</label>
+     {% endfor %}
+     {% endif %}
+     {% if localfile.target is defined %}
+     <target>{{ localfile.target }}</target>
+     {% endif %}
+     {% if localfile.out_format is defined %}
+     <out_format>{{ localfile.out_format }}</out_format>
+     {% endif %}
+  </localfile>
+{% endfor %}
+{% endif %}
+
 {% if wazuh_manager_config.syslog_outputs is defined %}
 {% for syslog_output in wazuh_manager_config.syslog_outputs %}
 {% if syslog_output.server is not none  %}