Hi all,
Last month, I have setup two OSSEC servers configured as a HA solution for several
OSSEC agents. Until now all works ok. But now I need to use agent centralized
configuration to simplify this structure. And i have some questions:
- If I understand documentation about centralized agents configuration, agent.conf
file only reflects configuration about syscheck, rootcheck and log analasys,
correct?. Does that It means that can I remove those sections in ossec.conf file on
agent side?
- can I configure some entries on agent.conf file like this:
<agent_config name="agent01">
<syscheck>
<frequency>7200</frequency>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<directories report_changes="yes" realtime="yes"
check_all="yes">/etc</directories>
<directories check_all="yes">/usr/bin,/usr/sbin,/bin,/sbin</directories>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/aliases.db</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/lvm/cache/.cache</ignore>
<ignore>/etc/mtab</ignore>
</syscheck>
</agent_config>
<agent_config name="agent01|agent02">
<localfile>
<location>/var/log/some.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
<agent_config name="agent02|agent03">
<localfile>
<location>/var/log/another.log</location>
<log_format>syslog</log_format>
</localfile>
</agent_config>
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
