Most of my clients are using the default ossec.conf created when installing from source. What is the preferred method to customize the client's ossec.conf to be minimal upon install? Is there a way to minimize the /etc/ossec.conf file before the make install? I don't have to install OSSEC agent too frequently yet, but figure something like this would be easily handled creating RPM spec or Puppet pattern.
Thanks - Trey On Jun 6, 1:03 pm, "dan (ddp)" <[email protected]> wrote: > When there's a conflict the agent's ossec.conf is generally used. I > find it's best to remove everything except the server-ip setting from > the agent ossec.conf files. > > On Mon, Jun 6, 2011 at 8:50 AM, Christopher Moraes > > > > > > > > <[email protected]> wrote: > > Hi Frank, > > If I create an agent.conf file on the server, will it overwrite the settings > > of the agent's local ossec.conf or are the two configs merged in some way? > > > On Mon, Jun 6, 2011 at 6:29 AM, Frank Stefan Sundberg Solli > > <[email protected]> wrote: > > >> Hi. > > >> The file can be found in shared/agent.conf > > >> On Mon, Jun 6, 2011 at 3:42 AM, treydock <[email protected]> wrote: > > >>> What settings from the OSSEC server's etc/ossec.conf file are used to > >>> on the clients? For example I've defined rules and active responses > >>> on my server, and they are working fine, but what about <localfile> > >>> items? Is there a way to centrally define what local files an agent > >>> should be checking, or would this be the case where something like > >>> Puppet comes into play? I have this on my server, and it works, but > >>> just realized I probably need to push this to my clients, > > >>> <localfile> > >>> <log_format>syslog</log_format> > >>> <location>/var/ossec/logs/active-responses.log</location> > >>> </localfile> > > >>> Thanks > >>> - Trey > > >> -- > >> MVH/With regards > > >> Frank > >> -- > >> Name: Frank Stefan Sundberg Solli > >> E-mail: [email protected] > >> Web: http://fssol.blogspot.com > >> GPG: 684119F4
