On Sat, Jun 25, 2011 at 1:45 PM, SystemAli <[email protected]> wrote:
> Dan: > > that means all the logs to be monitored have to be entered in the agent in > the following location :-/var/ossec/etc/ossec.conf ? > > On the agent, there are 2 config files that are read in the following order - 1. /var/ossec/etc/ossec.conf and 2. /var/ossec/etc/shared/agent.conf The agent first reads the ossec.conf file and then tries to read the agent.conf file (if it exits). Log files specified in ossec.conf and agent.conf will be monitored. If you are making changes for a specific agent, make your changes in ossec.conf and not agent.conf, as agent.conf gets overwritten by the manager.
