Thanks for the response Dave This if for Linux (RHEL) only. I don't have a setup to test (yet) but I am thinking along these lines.
There are 3 servers in a cluster. There may be more than one clustered service, and they would not all move together, so I would not want ossec agent to be a clustered service itself. Install OSSEC agent software on all 3 servers. Configure additional agents using the clustered service IP addresses, and monitor the clustered services through this (using agent.conf). I am guessing that I cannot monitor the individual servers as well as the clustered services, as that would require more than one agent.conf file (one for server and one for clustered service) Mike