Sorry Christopher, didn't mean to hijack your thread. Turned out to be the same issue as here.
http://groups.google.com/group/ossec-list/browse_thread/thread/ece44a0e3b65e73c?hl=en -R On Jun 7, 11:50 am, Christopher Moraes <[email protected]> wrote: > Hi Reggie, > > I did not try get it to work. I was just asking a question to understand how > ossec is designed. (I am in the middle of reading the sources). > > > > > > > > On Tue, Jun 7, 2011 at 10:35 AM, reg <[email protected]> wrote: > > Christopher, > > > I am curious how you got this to work. I get all sorts of errors > > trying that. > > > 2011/06/07 13:28:22 ossec-syscheckd(1702): INFO: No directory provided > > for syscheck to monitor. > > 2011/06/07 13:28:22 ossec-syscheckd: WARN: Syscheck disabled. > > 2011/06/07 13:28:22 ossec-rootcheck: System audit file not configured. > > 2011/06/07 13:28:23 ossec-agentd(4102): INFO: Connected to the server > > (x.x.x.x:1514). > > 2011/06/07 13:28:26 ossec-syscheckd: INFO: Started (pid: 13684). > > 2011/06/07 13:28:26 ossec-rootcheck: INFO: Started (pid: 13684). > > 2011/06/07 13:28:28 ossec-logcollector: INFO: Started (pid: 13680). > > 2011/06/07 13:30:00 ossec-rootcheck: INFO: Starting rootcheck scan. > > 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_files file > > configured. > > 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_trojans file > > configured. > > 2011/06/07 13:42:27 ossec-rootcheck: INFO: Ending rootcheck scan. > > 2011/06/07 13:47:27 ossec-syscheckd(1105): ERROR: Attempted to use > > null string. > > 2011/06/07 14:02:49 ossec-syscheckd(1105): ERROR: Attempted to use > > null string. > > 2011/06/07 14:18:11 ossec-syscheckd(1105): ERROR: Attempted to use > > null string. > > > I would prefer only having the IP address in the ossec.conf file. > > > -Reggie > > > On Jun 6, 2:03 pm, "dan (ddp)" <[email protected]> wrote: > > > When there's a conflict the agent's ossec.conf is generally used. I > > > find it's best to remove everything except the server-ip setting from > > > the agent ossec.conf files. > > > > On Mon, Jun 6, 2011 at 8:50 AM, Christopher Moraes > > > > <[email protected]> wrote: > > > > Hi Frank, > > > > If I create an agent.conf file on the server, will it overwrite the > > settings > > > > of the agent's local ossec.conf or are the two configs merged in some > > way? > > > > > On Mon, Jun 6, 2011 at 6:29 AM, Frank Stefan Sundberg Solli > > > > <[email protected]> wrote: > > > > >> Hi. > > > > >> The file can be found in shared/agent.conf > > > > >> On Mon, Jun 6, 2011 at 3:42 AM, treydock <[email protected]> wrote: > > > > >>> What settings from the OSSEC server's etc/ossec.conf file are used to > > > >>> on the clients? For example I've defined rules and active responses > > > >>> on my server, and they are working fine, but what about <localfile> > > > >>> items? Is there a way to centrally define what local files an agent > > > >>> should be checking, or would this be the case where something like > > > >>> Puppet comes into play? I have this on my server, and it works, but > > > >>> just realized I probably need to push this to my clients, > > > > >>> <localfile> > > > >>> <log_format>syslog</log_format> > > > >>> <location>/var/ossec/logs/active-responses.log</location> > > > >>> </localfile> > > > > >>> Thanks > > > >>> - Trey > > > > >> -- > > > >> MVH/With regards > > > > >> Frank > > > >> -- > > > >> Name: Frank Stefan Sundberg Solli > > > >> E-mail: [email protected] > > > >> Web: http://fssol.blogspot.com > > > >> GPG: 684119F4
