On Tue, Sep 16, 2014 at 8:07 AM, Muhammad Yousuf Khan <[email protected]> wrote: > if i am going though with basic setup of ossec i have created few rules and > they are working great. > > Please correct me if i am wrong, just need to clear my concept about the > product. > > - what i found out is that there are no rules files on agents systems which > means rules are not running on agents rather agents are sending logs to the > manager and then manager system decides what to do. >
That is correct. > > what i want to know is that do agent send all the logs in files that i > defined in <localfiles> tab or just specific log which are defined in > Manager/Server system rules? > The agent does not know which log messages have rules, so it sends everything. > if agent sends all the logs rather then specific entries, in which file the > logs are being stored on Master/Server node? By default they are not. There is a log all option which logs all incoming log messages in /var/ossec/logs/archives.log. > etc/alert.log are just ossec alerts they are not the logs received from > agent systems. > > > Can you guys please clear this confusion. > > > Thanks, > MYK > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
