Hi carlopmart,
On Wed, Feb 23, 2011 at 4:05 PM, carlopmart <[email protected]> wrote:
> Hi all,
>
> Last month, I have setup two OSSEC servers configured as a HA solution for
> several OSSEC agents. Until now all works ok. But now I need to use agent
> centralized configuration to simplify this structure. And i have some
> questions:
>
> - If I understand documentation about centralized agents configuration,
> agent.conf file only reflects configuration about syscheck, rootcheck and
> log analasys, correct?. Does that It means that can I remove those sections
> in ossec.conf file on agent side?
>
Some of my agents only have the server-ip section in their ossec.conf
files. Everything else is configured in the agent.conf.
> - can I configure some entries on agent.conf file like this:
>
You should be able to copy most of it straight out of the ossec.conf.
The configuration below looks correct to me, but I didn't go over
every bit to make sure there were no typos.
Also, I don't think I've tried using name="agent01|agent02", but that
doesn't mean it won't work.
> <agent_config name="agent01">
> <syscheck>
> <frequency>7200</frequency>
> <auto_ignore>no</auto_ignore>
> <alert_new_files>yes</alert_new_files>
> <directories report_changes="yes" realtime="yes"
> check_all="yes">/etc</directories>
> <directories check_all="yes">/usr/bin,/usr/sbin,/bin,/sbin</directories>
> <ignore>/etc/adjtime</ignore>
> <ignore>/etc/aliases.db</ignore>
> <ignore>/etc/hosts.deny</ignore>
> <ignore>/etc/lvm/cache/.cache</ignore>
> <ignore>/etc/mtab</ignore>
> </syscheck>
> </agent_config>
>
> <agent_config name="agent01|agent02">
> <localfile>
> <location>/var/log/some.log</location>
> <log_format>syslog</log_format>
> </localfile>
> </agent_config>
>
> <agent_config name="agent02|agent03">
> <localfile>
> <location>/var/log/another.log</location>
> <log_format>syslog</log_format>
> </localfile>
> </agent_config>
>
> Thanks.
>
> --
>
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
>
