Hi Dan, Thanx a lot for your response. I figured it out. I didn't give it another thought but I packaged the agent (ref: https://launchpad.net/~nicolas-zin/+archive/ossec-ubuntu) so it's easier to deploy them with Chef. I made assumptions on that install. Back to the drawing board I guess.
A question does come to mind though. Suppose I have two monitoring servers each remotely checking half of my web servers. That would make me want to have different rule setups e.g. whitelist a different IP address. A log 'location' could be as simple as "/var/www/apache/access.log". However half should be tuned onto the IP address of monitoring server 1 and the other onto monitoring server 2. When all rules reside on the OSSEC server, how would I be able to make that distinction? Thanx again for your help! Kind regards, Gerard. On Wednesday, October 30, 2013 3:08:41 PM UTC+1, dan (ddpbsd) wrote: > > > On Oct 30, 2013 10:07 AM, "Gerard Petersen" <[email protected] <javascript:>> > wrote: > > > > Hi All, > > > > After a few long hours trying to have ossec honour some rules, it hit > me. The rule setup was needed on the server instead of the agents. Leaving > me with the question. Why are there (web)rule files on the ossec agent > since they are not looked at? Or are they? > > > > They shouldn't be installed on the agents. What version did you install? > What OS? > > > Thanx a lot. > > > > Kind regards, > > > > Gerard. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
