I can't install the OSSEC agent on some of my Linux and Unix hosts. Our vendor has a custom compiled kernel on them and we can't add packages. I've tried compiling from source, installing from the shell script, etc. I can't add missing packages to these hosts so its not possible to get the OSSEC HIDS agent installed.
I thought about using the agentless method but then I had another idea. I may be way off-track so someone on this group might be able to set me straight. I have a syslog-ng server that I'm forwarding logs to. I'm sending syslog for external hosts, filtering by IP/name and drop the logs into a specifically named text file in var/log/MYLOGS My syslog-ng server has the OSSEC HIDS agent on it. Why can't I just go into ossec.conf on my syslog-ng server and add <localfile></localfile> specs to watch those local text files that are created from incoming forwarded syslog events? Would the above method be superior to the agentless method? What would be the pros/cons? Also is there a way when I specify the <localfile> to have the hostname appear correctly in e-mail events. I've tested this and it works but when I get an event from one of the forwarded servers it looks like its coming from my syslog-ng server and not the server it was originally sent from. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
