On Thu, Jul 15, 2010 at 10:09 AM, Jason 'XenoPhage' Frisvold <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/14/2010 07:54 PM, Jeremy Rossi wrote: >> Good plan how I ran most of my agents. > > Oh good, I must be on the right track then.. Right now I'm tuning the > basic integrity sensor stuff and waiting for my OSSEC book to arrive in > the mail so I can dig in deeper.. > >> decoders.xml are only used at the central ossec server. This is where >> logs be paresed and cut and worked with. > > So are logs sent from the clients to the server then? That seems .. > chatty, no? >
The logs are sent back to the server for processing. It can be chatty, but can give you a central repository for the logs. Also, if the ossec processes aren't stopped, the logs continue to be moved to the server even if the system has been compromised. >> rootkit files should be in /var/ossec/etc/etc/share/ anything in that >> dir is sent to agents for you so you will not need to sync them >> yourself. Just note changes take time. > > Do changes to these files (not agent.conf) also require a restart of the > remote agent? > > - -- > - --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkw/Fq0ACgkQ8CjzPZyTUTSZSACeNBc4mFBpQ1/s2tj3961XP+x5 > blYAniM6RN6EPdY5cqhUUoKKd6gAJSZS > =+Fyz > -----END PGP SIGNATURE----- >
