On Wed, Nov 21, 2012 at 2:44 PM, Scott <[email protected]> wrote: > Hello, > > I would like to have my logs from a distant subnet forwarded to a central > ossec server. Some of these logs are UDP 514 syslog format from > "appliances". > > So, I was thinking that I change my current ossec server that is on that > subnet (which now collects all logs) into a hybrid server and have it > forward logs to my new central ossec server. > > Does that sound reasonable? >
The hybrid mode will send OSSEC alerts to a central OSSEC server, not all logs. > I'm not sure how to re-configure the current ossec server to be a hybrid > server... > Rerun install.sh, don't upgrade. You might also be able to get away with installing the client version somewhere and just configuring it to read the alert.log. I'd have to look up the configuration for this though (I should probably document it anyhow). > Can I simply add the <client> section to ossec.conf in addition to the > <global> section? Do I need a <global> section anymore? > This question doesn't make any sense. > Is it possible to send <remote> sections via agent.conf? > The OSSEC server does not use the agent.conf > > Thanks, > > Scott >
