On Wed, Oct 30, 2013 at 12:55 PM, Gerard Petersen <[email protected]> wrote: > Hi Dan, > > Thanx a lot for your response. I figured it out. I didn't give it another > thought but I packaged the agent (ref: > https://launchpad.net/~nicolas-zin/+archive/ossec-ubuntu) so it's easier to > deploy them with Chef. I made assumptions on that install. Back to the > drawing board I guess. > > A question does come to mind though. Suppose I have two monitoring servers > each remotely checking half of my web servers. That would make me want to > have different rule setups e.g. whitelist a different IP address. > > A log 'location' could be as simple as "/var/www/apache/access.log". However > half should be tuned onto the IP address of monitoring server 1 and the > other onto monitoring server 2. When all rules reside on the OSSEC server, > how would I be able to make that distinction? >
Have group 1 report to server 1, and group 2 resport to server 2. You can then have both server 1 and server 2 report to server 3 for distribution. > Thanx again for your help! > > Kind regards, > > Gerard. > > > On Wednesday, October 30, 2013 3:08:41 PM UTC+1, dan (ddpbsd) wrote: >> >> >> On Oct 30, 2013 10:07 AM, "Gerard Petersen" <[email protected]> wrote: >> > >> > Hi All, >> > >> > After a few long hours trying to have ossec honour some rules, it hit >> > me. The rule setup was needed on the server instead of the agents. Leaving >> > me with the question. Why are there (web)rule files on the ossec agent >> > since >> > they are not looked at? Or are they? >> > >> >> They shouldn't be installed on the agents. What version did you install? >> What OS? >> >> > Thanx a lot. >> > >> > Kind regards, >> > >> > Gerard. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
