I have all of my agents online now. The process is less optimal than I
would like, but I suppose it will work for now..
Coolio
I have a few questions about how this all works now.. I know the
information in the agent.conf file is sent to the remote systems and
used after a restart of the remote. In fact, I have set up the remote
systems with a very sparse ossec.conf containing only the IP of the
management system, which seems to be working.
Good plan how I ran most of my agents.
What about other data? Is the decoder.xml or rootkit files sent to the
remotes? Or must I keep those in sync manually? Does it hurt to
aggregate every version of decoder I need into a single file and
distribute it to all hosts? (What I mean is, a single file instead of
unique ones for each host, depending on what the host is/does)
decoders.xml are only used at the central ossec server. This is where logs
be paresed and cut and worked with.
rootkit files should be in /var/ossec/etc/etc/share/ anything in that dir
is sent to agents for you so you will not need to sync them yourself. Just
note changes take time.
--
Jeremy Rossi
e: look at the headers people
t: http://twitter.com/jrossi
