Hi guys, I'm just getting started with ossec. So far, it seems like a great tool!
I need to deploy this in a centralized management configuration. I'm reading through the docs and experimenting in a lab. One thing i'm not clear on his what gets configured on the agents vs. what gets configured on the server. in the agent.conf, do i need to add sections for: <localfile>... (for event logs, txt logs, etc) <rootcheck> <syscheck> <directories> <ignore> <reports> <global> <client> Also, I've read the architecture page, but I"m still not clear on how events are processed. Could the data flow be explained as this: -agent monitors files, does system and root checks, etc -forward all configured inputs to the server -server checks events against the rules, sends alerts/reports and tells the agent to run active responses -agent runs active responses (if told to do so by the server) or does the agent do it's own checking an only forwards "interesting events"? Thanks, sorry for the rambling, just trying to get this all straight in my head. thanks, J
