I have about 30 hosts that I cannot install the OSSEC agent directly on. This is due to dependencies on old turn key servers. Many of these servers don't have make, gcc on them and I can't put them on there (or maybe I just don't have the know how to get them on without breaking anything). I've attempted to use RPMs but I still have dependency issues and considering these servers don't have direct internet access it makes it very hard to resolved dependencies.
Anyway... I've forwarded the auth logs from these systems to a SYSLOG-NG server that I built and I have an OSSEC agent running on this server. I include the log path in the config and my OSSEC agent on the syslog server watches the logs just as it would if it were installed locally on the remote machine. I essentially have syscheck running on the remote machine (At least for auth). The problem is everytime I get an alert it comes from the logserver. This means I can't forward these alerts very easily using the global alerts config. I also send my alerts to Splunk and it blows up my dashboard because my logserver has the bulk of the traffic and alerts. I'm wondering if there is anyway to use OSSEC properly in this use case... I don't really think agentless works as well since its only doing file integrity checks. I've kind of gotten spoiled to seeing syscheck running on these logs, I just need to find a way to make alerts appear as though they are coming from the originating log instead of the syslog server the logs are on? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
