Hi Joel, On Tue, Feb 22, 2011 at 10:58 AM, Joel Brooks <[email protected]> wrote: > Hi guys, > > I'm just getting started with ossec. So far, it seems like a great > tool! > > I need to deploy this in a centralized management configuration. I'm > reading through the docs and experimenting in a lab. > > One thing i'm not clear on his what gets configured on the agents vs. > what gets configured on the server. > > in the agent.conf, do i need to add sections for: > > <localfile>... (for event logs, txt logs, etc) > <rootcheck> > <syscheck> > <directories> > <ignore> > <reports> > <global> > <client> >
The only thing I've found that HAS to be defined in the agent's ossec.conf file is the server IP. Everything else can be configured in the agent.conf on the server. > Also, I've read the architecture page, but I"m still not clear on how > events are processed. Could the data flow be explained as this: > > -agent monitors files, does system and root checks, etc > -forward all configured inputs to the server > -server checks events against the rules, sends alerts/reports and > tells the agent to run active responses > -agent runs active responses (if told to do so by the server) > The above is correct. > or does the agent do it's own checking an only forwards "interesting > events"? > > Thanks, sorry for the rambling, just trying to get this all straight > in my head. > > thanks, > > J
