On Mon, Sep 17, 2012 at 10:55 AM, kay kay <[email protected]> wrote: > Well. Is it possible to run ossec decoder with active-response on remote > ossec-client directly? In that case I don't need to use syslog-ng collector > and "hostname" variable. >
I don't understand the question. You can run a standalone instance of OSSEC. Either way, you don't _need_ syslog-ng. Part of the problem might be that you haven't told us your goal, or your setup. I'm getting an idea of what's going on here, but I could be way off. (I'm hoping I'm way off) > Where should I put the rules? On ossec-server and the rules should be > automatically deployed on each remote client? Or I should configure each > client to use these rules? > Agents do not get rules, only the server and standalone instances. The agents send the log messages to the server, which then checks them. > понедельник, 17 сентября 2012 г., 17:20:14 UTC+4 пользователь dan (ddpbsd) > написал: >> >> On Mon, Sep 17, 2012 at 9:14 AM, kay kay <[email protected]> wrote: >> > Unfortunately I don't need srcip, I need hostname which was generated in >> > log >> > file. Is there any possibility to parse it? At the moment I can't regexp >> > whole log file but only starting from "[Wed Sep" >> > >> >> The only way will be to modify the source. >>
