On Mon, Jun 20, 2011 at 11:19 AM, gopal krishnan <[email protected]> wrote: > Dan, > > Thanks for replying, > >> 1) We are planning to install OSSEC on around 300+ Linux servers, What is >> the best way for implementing the client? (Agentless / AgentBased interms of >> performance) >> > > 300 shouldn't be too hard to handle. By default the manager will handle 256, > but there are instructions for handling more on the site. > > Which one i can go for it? Agent based or Agent less? >
You can do either. I prefer agent based. Agentless doesn't have all of the features agent based does, but it's really up to your needs. >> 3) How to capture the userdetails in real time monitoring or in syscheck? >> > > What user details? > > I want to capture the user details info when someone change/update some > files on the agents, > > For example, > > If i am changing the /etc/resolv.conf file, I want to see in the > report/alerts who changed this file at what time? > I haven't tried it, but I'm guessing there's some auditing in Linux/Windows that can help with this. syscheckd won't pick it up, but monitoring the logs themselves might. > Thanks, > -Gopal.C > > On Mon, Jun 20, 2011 at 8:59 AM, dan (ddp) <[email protected]> wrote: >> >> On Jun 20, 2011 9:56 AM, "gopal krishnan" <[email protected]> >> wrote: >> > >> > Hi Group, >> > >> > I am newbee to OSSEC, I am having three questions regrading OSSEC >> > implementation, >> > >> > 1) We are planning to install OSSEC on around 300+ Linux servers, What >> > is the best way for implementing the client? (Agentless / AgentBased >> > interms >> > of performance) >> > >> >> 300 shouldn't be too hard to handle. By default the manager will handle >> 256, but there are instructions for handling more on the site. >> >> > 2) How to change the default log path for OSSEC? >> > >> > We want to store in /var/log/ossec instead of /var/ossec/log >> > >> >> Install ossec in /var/log/ossec. The daemons generally chroot to the >> install dir. >> >> > 3) How to capture the userdetails in real time monitoring or in >> > syscheck? >> > >> >> What user details? >> >> > Please provide me some hints / links if these questions already >> > adressed... >> > >> > Thanks a lot, >> > >> > Regards, >> > -Gopal.C >
