There is an ossec.conf file on both the server and the clients. Obviously on the client there is a section that details the server IP.
For the syscheck section I am unclear on what is taken from the client and what is taken from the server. Suppose I want to monitor an additional directory /usr/application/bin for changes: Do I add it to just the server's ossec.conf or to each of the clients' ? And what if I want the frequency of the checks to vary on different clients? Is this documented on the website or in the book?
