So what would specifically go in the ossec.conf on the server side and what specifically goes in agent.conf?
It seems redundant - why would I add <localfiles> <directories to check> <ignore directories> ect. when I can put them in the agent.conf file? Is it essentially user preference? Whether I want to modify each agent's ossec.conf file or put everything in a centralized agent.conf file on the ossec server? Or should I edit the agent.conf file on each server individually? Sorry for the confusion - I just don't really get how it all ties together. On Wednesday, June 26, 2013 1:34:22 PM UTC-4, dan (ddpbsd) wrote: > > On Wed, Jun 26, 2013 at 1:02 PM, David Blanton > <[email protected] <javascript:>> wrote: > > So create/write the agent.conf file server side, restart ossec server, > and > > the agent.conf file gets pushed to the agents. Does this somehow > incorporate > > the local ossec.conf file located on the agents? > > > > The ossec.conf and agent.conf are both used. > > > > > On Monday, June 24, 2013 2:21:49 PM UTC-4, dan (ddpbsd) wrote: > >> > >> On Fri, Jun 21, 2013 at 10:51 AM, David Blanton > >> <[email protected]> wrote: > >> > To be brief, yeah it is checking. Not sure agent.conf did update, I > >> > manually > >> > just wrote in the xml lines required. > >> > > >> > I got so frustrated that I ended up just reinstalling OSSEC server > side, > >> > and > >> > import/exporting new keys and just pasting over my ossec.conf file. > >> > Everything ended up working this way. > >> > > >> > Just curious - why is there an agent.conf file server-side and an > >> > agent.conf > >> > file client side? > >> > > >> > >> You create it on the server, the server pushes it to the agent, and > >> the agent then uses that file for configuration. > >> If the agent didn't have a copy, how would it use the agent.conf? If > >> agents weren't supposed to use the agent.conf, why would it be named > >> that way? > >> > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
