On Thu, Jun 20, 2013 at 7:42 AM, Taher <[email protected]> wrote: > I found this documentation : > http://www.ossec.net/doc/manual/agent/agent-configuration.html > > It says: "First Create the file /var/ossec/etc/shared/agent.conf." so that > answers my previous question and give rise to another one :) : > > Since we are using OSSEC only for FIM and not for log correlation and > analysis (we have splunk for that). > > I wish to specify certain directories and files that we want to monitor > using syscheck in agent.conf. Can we use something like this in agent.conf ? > : > > <directories check_all="yes">/etc,/usr/bin,/usr/sbin, > /other/custom/directory</directories> > > <directories check_all="yes">/bin,/sbin</directories> > > as opposed to : > > <localfile> > <location>/var/log/my.log</location> > <log_format>syslog</log_format> > </localfile> > > because quite frankly, the directories that we want to monitor on the agents > are not always logs. >
These are two different functions. <directories> is for checking directories with syscheck (FIM). <localfile> is for monitoring log files and doing log analysis. > > > > On Wednesday, 19 June 2013 15:18:29 UTC+5:30, Taher wrote: >> >> Hello All, >> >> I am newbie to OSSEC and we have installed a server and about 30 clients >> in our test environment. >> >> We have a requirement of monitoring logs and integrity checking for files >> and directories belonging to certain proprietary/custom applications in the >> environment. My question is, if we were to specify the location of these >> logs and files, would we have to do it in the ossec.conf file on each agent >> or can we do it centrally on the server? >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
