Hi Jarvis, Most of the options are configured centrally on the manager, but a few of them are still locally on each agent. Rest inline...
On Wed, Mar 4, 2009 at 4:28 PM, Jarvis Robinson <[email protected]> wrote: > For example, I don't see a file on the server where I can set and push the > various ossec.conf options for the UNIX agent or Windows agent, including > folder exclusions for integrity checking and security event log sources to > pull events from (e.g. how to change from the default and whether > server-based updates are possible). The integrity checking exclusions can be set on the manager's ossec.conf <ignore> option. This will apply to all agents. You can also use local_rules, which you can apply to all or just some agents... > 1. Integrity Check Config/Updates (centrally managed or decentrally/local per > host?) The files to check are specified locally on each agent, but the ones to ignore can be set on both places. To run updates, look at agent_control and syscheck_control tools. They allow you to run the integrity checking immediately and ignore files. > 2. Rootkit Check Config/Updates (centrally managed or decentrally/local per > host?) This is all set on the manager site. Look at the files inside /var/ossec/etc/shared . > > 3. Local Log Config/Updates (centrally managed or decentrally/local per host?) The log files to monitor are specified locally on each agent. However, all the rules are set on the manager side. > > Thanks! > [email protected] > For next version we are adding the file agent.conf, where you will be able to set most of these options centrally. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net
