-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jul 20, 2010, at 5:07 AM, ItsMikeE wrote: > There is an ossec.conf file on both the server and the clients. > > Obviously on the client there is a section that details the server IP. > > For the syscheck section I am unclear on what is taken from the client > and what is taken from the server.
For the server, ossec.conf is the master. I'm not aware of any other way to tell the server what to check on the local server machine. For clients, you can do this two ways. You can use the ossec.conf file on the client, though this can get tedious rather quickly. For myself, I just put the server IP in there and leave it be. The other option is to use agent.conf on the server. I believe it's /var/ossec/etc/agent.conf. This file is treated just like an ossec.conf file, but you can add additional information in there to identify what clients get what config. More information is here : http://www.ossec.net/main/manual/centralized-config/ > Is this documented on the website or in the book? I've found the site documentation to be enough to get started, assuming you're willing to experiment a bit. I have the book on order right now and I'm eagerly awaiting my copy... My hope is that it is significantly more detailed than the site.. - --------------------------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkxFqg4ACgkQ8CjzPZyTUTRRJACfVaInoFHE7bvSADI3+7/pMocv NLgAn12t4a9zPH4MtjImIVyD9qiQkVUf =xxcH -----END PGP SIGNATURE-----