Christopher, I am curious how you got this to work. I get all sorts of errors trying that.
2011/06/07 13:28:22 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor. 2011/06/07 13:28:22 ossec-syscheckd: WARN: Syscheck disabled. 2011/06/07 13:28:22 ossec-rootcheck: System audit file not configured. 2011/06/07 13:28:23 ossec-agentd(4102): INFO: Connected to the server (x.x.x.x:1514). 2011/06/07 13:28:26 ossec-syscheckd: INFO: Started (pid: 13684). 2011/06/07 13:28:26 ossec-rootcheck: INFO: Started (pid: 13684). 2011/06/07 13:28:28 ossec-logcollector: INFO: Started (pid: 13680). 2011/06/07 13:30:00 ossec-rootcheck: INFO: Starting rootcheck scan. 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_files file configured. 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_trojans file configured. 2011/06/07 13:42:27 ossec-rootcheck: INFO: Ending rootcheck scan. 2011/06/07 13:47:27 ossec-syscheckd(1105): ERROR: Attempted to use null string. 2011/06/07 14:02:49 ossec-syscheckd(1105): ERROR: Attempted to use null string. 2011/06/07 14:18:11 ossec-syscheckd(1105): ERROR: Attempted to use null string. I would prefer only having the IP address in the ossec.conf file. -Reggie On Jun 6, 2:03 pm, "dan (ddp)" <[email protected]> wrote: > When there's a conflict the agent's ossec.conf is generally used. I > find it's best to remove everything except the server-ip setting from > the agent ossec.conf files. > > On Mon, Jun 6, 2011 at 8:50 AM, Christopher Moraes > > > > > > > > <[email protected]> wrote: > > Hi Frank, > > If I create an agent.conf file on the server, will it overwrite the settings > > of the agent's local ossec.conf or are the two configs merged in some way? > > > On Mon, Jun 6, 2011 at 6:29 AM, Frank Stefan Sundberg Solli > > <[email protected]> wrote: > > >> Hi. > > >> The file can be found in shared/agent.conf > > >> On Mon, Jun 6, 2011 at 3:42 AM, treydock <[email protected]> wrote: > > >>> What settings from the OSSEC server's etc/ossec.conf file are used to > >>> on the clients? For example I've defined rules and active responses > >>> on my server, and they are working fine, but what about <localfile> > >>> items? Is there a way to centrally define what local files an agent > >>> should be checking, or would this be the case where something like > >>> Puppet comes into play? I have this on my server, and it works, but > >>> just realized I probably need to push this to my clients, > > >>> <localfile> > >>> <log_format>syslog</log_format> > >>> <location>/var/ossec/logs/active-responses.log</location> > >>> </localfile> > > >>> Thanks > >>> - Trey > > >> -- > >> MVH/With regards > > >> Frank > >> -- > >> Name: Frank Stefan Sundberg Solli > >> E-mail: [email protected] > >> Web: http://fssol.blogspot.com > >> GPG: 684119F4
