Hey Jason, unfortunately no. The /var/ossec/etc/shared directory contains parameters that also belong in the ossec.conf. This allows you to setup log collection, FIM directories, wodle modules, etc. and apply these settings to all wazuh agents in the group. To mass deploy the osquery.conf you could use Ansible, Chef or another remote deployment tool of your choice. Hope that helps and thanks for watching!

Hey Tom, Are you interested in monitoring network traffic, with something like an IDS/IPS device? If so, I really enjoy an Open Source tool called, Suricata. It can be set inline or receive packets via a span port. These results detail network flows as well as any network related events such as traffic to a command and control server, web application attacks, IP reputation and more. This tool integrates very well with Wazuh and ELK. I plan on covering Suricata and integrating it with Wazuh in future videos, but feel free to explore on your own! suricata.readthedocs.io/en/latest/what-is-suricata.html Thanks for watching!

@@taylorwalton_socfortress Thanks, yes I've been looking into Suricata. I'm struggling with aggregating the bytes sent and received, so essentially the sum of the below: data.flow.bytes_toclient data.flow.bytes_toserver It appears that these are strings and thus don't show under "Significant Terms" when "Sum" is selected within visualizations thus I'm not able to see the total or bytes sent and received between 2 IP addresses. I'm now wondering how to use Jupyter-Notebook to do this, but I think that's a big stretch. Anyhow, will wait for your video on Suricata in future, thanks for making this content - I really enjoy it!

If the osquery_result is being json outputted, install a wazuh_agent onto the fleet server and edit the ossec.conf file to contain this block /path/to/osquery_result json Hope that helps and thanks for watching!

@@taylorwalton_socfortress but how know the format ?