I am working with UNIX agents and Windows agents. Question I have is what is the extent of the centralized management of the integrity checking compenent, rootkit detection component, and log collector component on each agent?
For example, I don't see a file on the server where I can set and push the various ossec.conf options for the UNIX agent or Windows agent, including folder exclusions for integrity checking and security event log sources to pull events from (e.g. how to change from the default and whether server-based updates are possible). To elaborate, what if I only wanted to receive logs from the local Security log on the Windows agent (by default, the ossec.conf file is set to pull from Application, System, and Security)? Can I push that policy from the server instead of manually updating each server/file? If so, where is that centrally-managed file and command located and how do I make the update? Overall, just trying to see what needs to be updated manually versus the server and how given these scnenarios: 1. Integrity Check Config/Updates (centrally managed or decentrally/local per host?) Is it possible given the UNIX agent (if so where's the file on the server and where the update command on the server)? Is it possible given the Windows agent (same questions as above)? 2. Rootkit Check Config/Updates (centrally managed or decentrally/local per host?) Is it possible given the UNIX agent (if so where's the file on the server and where the update command on the server)? Is it possible given the Windows agent (same questions as above)? 3. Local Log Config/Updates (centrally managed or decentrally/local per host?) Is it possible given the UNIX agent (if so where's the file on the server and where the update command on the server)? Is it possible given the Windows agent (same questions as above)? Thanks! [email protected]
