Greetings,
We are using the RPM version of ossec-hids (version 2.3-2.el5.art) in a
server/agent installation environment. Everything is working fine so far,
however we now have a need to add another server and I need to specify rules
and actions that are specific to that one server. I've done some
researching on the shared agent.conf file where you can look at files based
on the agent, my question is can you also specify the rules this agent uses
and the actions? In other words:
<agent_config name="some_agent_name">
<rules>
<include>rule_file_name1</include>
<include>rule_file_name2</include>
</rules>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
</agent_config>
Barking up the wrong tree? Any answers pro or con are appreciated.
Thanks,
Steven G. Spencer
