On Tue, Nov 19, 2013 at 5:16 PM, Cliftyman <[email protected]> wrote: > I can't install the OSSEC agent on some of my Linux and Unix hosts. Our > vendor has a custom compiled kernel on them and we can't add packages. I've > tried compiling from source, installing from the shell script, etc. I can't > add missing packages to these hosts so its not possible to get the OSSEC > HIDS agent installed. > > I thought about using the agentless method but then I had another idea. I > may be way off-track so someone on this group might be able to set me > straight. > > I have a syslog-ng server that I'm forwarding logs to. I'm sending syslog > for external hosts, filtering by IP/name and drop the logs into a > specifically named text file in var/log/MYLOGS > > My syslog-ng server has the OSSEC HIDS agent on it. Why can't I just go > into ossec.conf on my syslog-ng server and add <localfile></localfile> specs > to watch those local text files that are created from incoming forwarded > syslog events? >
Because you don't have permission? No idea really. > Would the above method be superior to the agentless method? What would be It would be different. The agentless configuration does not generally cover logs, and this does not cover file integrity. > the pros/cons? Also is there a way when I specify the <localfile> to have > the hostname appear correctly in e-mail events. > The hostname does appear correctly. It's the name the log message was obtained from (in this case the log aggregation system). > I've tested this and it works but when I get an event from one of the > forwarded servers it looks like its coming from my syslog-ng server and not > the server it was originally sent from. > > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
