Hi Richard,
Most of the ossec configuration is done at the server side, so there is little to "push" to the agents. The only things that the agent keeps on their own are the ossec.conf, the authentication keys and the rootkit definition that is updated dynamically by the server (look at /var/ossec/etc/shared ). Regarding the log analysis signature updates, we generally release them with each new release (+- every 2 months), and you only need to update them on the server. However, we are working on some form of dynamic update for them ... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 3/30/07, Ginski, Richard J <[EMAIL PROTECTED]> wrote:
Hi All, We are very new to the OSSEC environment. After scanning the archives, I couldn't find how people are administering several instances of OSSEC in their environment. For example, if you had 50-100 systems monitored/protected by OSSEC agents, how do you configure the OSSEC server to push 1 policy/configuration to 50-100 agents? Or how do you make changes to a policy on the server that would modify the configurations for a group of agents, but not all of the agents? It seems the relationship is 1:1 (you have to push changes to each agent individually), but being new to OSSEC, I'm sure I'm missing something. Also, are there signatures that get updated? If so, how often do they get updated and do they have to be applied individually? TIA
