On Wed, Oct 17, 2012 at 4:00 AM, kay kay <[email protected]> wrote: > Is it possible to use local ossec-agent rules? I need to configure > ossec-agent locally monitor logs and locally start active-response script. > Ossec server should only write alerts.
Not really. You could do a local installation (or maybe hybrid with 2.7) on each of the agents and forward the alerts to a centralized OSSEC instance, but it's much more complicated. What's wrong with the current OSSEC architecture? Why do you need to do it this way?
