-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fred wrote: > Message > Hi everyone, > > I have some more questions with OSSEC... (which I try to deploy on > 14 servers in a complex network). > > Now that configuration files seem correctly parsed (was another > subject), I don't receive any more alert email...? So here are my > questions: > > - how to be sure that agents connect with OSSEC Server ? (forget > sniffers like Ethereal, that's forbidden). What about tcpdump or snoop (Solaris). These utilities are usually installed by default, depending on which *nix you're using. Traffic from agent to server is UDP, so I don't believe that it will show up in a netstat as having an "ESTABLISHED" connection. But, on the server you should see that there is a UDP socket open. > - checked localfiles change every day (with "%Y-%m-%d"). Does > OSSEC Agent re-read (or re-parse) conf file as needed (so, in my > case, every day) ? AFAIK, you need to restart ossec if you make any changes to the config file. But looking at the source, I *believe* the syscheckd reads its own config file everytime it goes to do a check. > - if a localfile to check doesn't exist a day, but exist next > day, will OSSEC check it, or should OSSEC Agent be restarted ? It should get picked up, but may not alert depending on file location, name, etc. > - in Server conf file, what is the most "noisy" severity level: > 1 or 16 ? I would say "16", like syslog severity level, but would > like to be sure. 1 is the most "noisy", as in, will generate the most events. 16 is the most severe. You can get more info from the Wiki here: http://www.ossec.net/wiki/index.php/Know_How:Rules_Severity > > Many thanks ! > > Fred >
- -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6ja0TPA54hjTSp4RAiEOAKDLU00zOfyX6CWDhriUbizn+YM9bgCg3WVb VfJQ+Cm9zzNBt33Ny5/Bkuw= =WDyX -----END PGP SIGNATURE-----
