On Wed, Jun 19, 2013 at 5:25 PM, David Blanton
<[email protected]> wrote:
> Dan,
>
> So could I get an example of a template for agent.conf? For example,
> currently I have about 50 agents deployed on Solaris and RHEL5 servers.
>
> In my ossec.conf file I have:
>
> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/messages</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/secure</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/adm/sulog</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/adm/messages</location>
> </localfile>
>
> <localfile>
> <log_format>syslog</log_format>
> <location>/var/log/maillog</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/httpd/error_log</location>
> </localfile>
>
> <localfile>
> <log_format>apache</log_format>
> <location>/var/log/httpd/access_log</location>
> </localfile>
>
> because I was under the impression that all agents would be monitoring all
> of these directories and files.
>
> So to make this clear, is there no way to have all my agents check all of
> these? I have to divide my agents into Solaris and RHEL5 Linux groups, and
> specify which will monitor which? This seems a bit repetitive unless I am
> not imagining things correctly.
>
> If directory checks are local - does that mean agents must be specified
> which local files to be monitored?
>
> How would the syntax be in the agent.conf to do something like this
>
>
This is untested, but try this as /var/ossec/etc/shared/agent.conf:
<agent_config>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
</agent_config>
(I feel like most of those others are in the config by default)
Restart the processes on the server and agent, get some coffee, and
check the agent a bit later to find out if it's been transferred. If
it has, restart the agent processes and check the ossec.log to see if
it's monitoring access_log.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
