Hi Dan,

Thanx a lot for your response. I figured it out. I didn't give it another 
thought but I packaged the agent (ref: 
https://launchpad.net/~nicolas-zin/+archive/ossec-ubuntu) so it's easier to 
deploy them with Chef. I made assumptions on that install. Back to the 
drawing board I guess.

A question does come to mind though. Suppose I have two monitoring servers 
each remotely checking half of my web servers. That would make me want to 
have different rule setups e.g. whitelist a different IP address.

A log 'location' could be as simple as "/var/www/apache/access.log". 
However half should be tuned onto the IP address of monitoring server 1 and 
the other onto monitoring server 2. When all rules reside on the OSSEC 
server, how would I be able to make that distinction?

Thanx again for your help!

Kind regards,

Gerard.


On Wednesday, October 30, 2013 3:08:41 PM UTC+1, dan (ddpbsd) wrote:
>
>
> On Oct 30, 2013 10:07 AM, "Gerard Petersen" <[email protected] <javascript:>> 
> wrote:
> >
> > Hi All,
> >
> > After a few long hours trying to have ossec honour some rules, it hit 
> me. The rule setup was needed on the server instead of the agents. Leaving 
> me with the question. Why are there (web)rule files on the ossec agent 
> since they are not looked at? Or are they?
> >
>
> They shouldn't be installed on the agents. What version did you install? 
> What OS?
>
> > Thanx a lot.
> >
> > Kind regards,
> >
> > Gerard.
> >
> > -- 
> >  
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to