On Fri, Jan 14, 2011 at 4:52 PM, anderscooter <[email protected]> wrote: > It looks like the problem at remote sites with large security logs and > every so often one of the message updates fail. We really don't need > to monitor the Windows Event logs. Is the only way to do this in the > Windows Agent config or can this be done at the OSSEC server level. >
It'll have to be done in the agent's configuration, unless you utilize the agent.conf central configuration. If you want to use the agent.conf in the future, you can pretty much remove everything out of the agent's ossec.conf except the IP of the server and rely on the agent.conf for the rest of the configuration.
