Hi Reggie, I did not try get it to work. I was just asking a question to understand how ossec is designed. (I am in the middle of reading the sources).
On Tue, Jun 7, 2011 at 10:35 AM, reg <regoma...@gmail.com> wrote: > Christopher, > > I am curious how you got this to work. I get all sorts of errors > trying that. > > 2011/06/07 13:28:22 ossec-syscheckd(1702): INFO: No directory provided > for syscheck to monitor. > 2011/06/07 13:28:22 ossec-syscheckd: WARN: Syscheck disabled. > 2011/06/07 13:28:22 ossec-rootcheck: System audit file not configured. > 2011/06/07 13:28:23 ossec-agentd(4102): INFO: Connected to the server > (x.x.x.x:1514). > 2011/06/07 13:28:26 ossec-syscheckd: INFO: Started (pid: 13684). > 2011/06/07 13:28:26 ossec-rootcheck: INFO: Started (pid: 13684). > 2011/06/07 13:28:28 ossec-logcollector: INFO: Started (pid: 13680). > 2011/06/07 13:30:00 ossec-rootcheck: INFO: Starting rootcheck scan. > 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_files file > configured. > 2011/06/07 13:30:00 ossec-rootcheck: No rootcheck_trojans file > configured. > 2011/06/07 13:42:27 ossec-rootcheck: INFO: Ending rootcheck scan. > 2011/06/07 13:47:27 ossec-syscheckd(1105): ERROR: Attempted to use > null string. > 2011/06/07 14:02:49 ossec-syscheckd(1105): ERROR: Attempted to use > null string. > 2011/06/07 14:18:11 ossec-syscheckd(1105): ERROR: Attempted to use > null string. > > I would prefer only having the IP address in the ossec.conf file. > > -Reggie > > On Jun 6, 2:03 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > > When there's a conflict the agent's ossec.conf is generally used. I > > find it's best to remove everything except the server-ip setting from > > the agent ossec.conf files. > > > > On Mon, Jun 6, 2011 at 8:50 AM, Christopher Moraes > > > > > > > > > > > > > > > > <cmoraes....@gmail.com> wrote: > > > Hi Frank, > > > If I create an agent.conf file on the server, will it overwrite the > settings > > > of the agent's local ossec.conf or are the two configs merged in some > way? > > > > > On Mon, Jun 6, 2011 at 6:29 AM, Frank Stefan Sundberg Solli > > > <frankste...@gmail.com> wrote: > > > > >> Hi. > > > > >> The file can be found in shared/agent.conf > > > > >> On Mon, Jun 6, 2011 at 3:42 AM, treydock <treyd...@gmail.com> wrote: > > > > >>> What settings from the OSSEC server's etc/ossec.conf file are used to > > >>> on the clients? For example I've defined rules and active responses > > >>> on my server, and they are working fine, but what about <localfile> > > >>> items? Is there a way to centrally define what local files an agent > > >>> should be checking, or would this be the case where something like > > >>> Puppet comes into play? I have this on my server, and it works, but > > >>> just realized I probably need to push this to my clients, > > > > >>> <localfile> > > >>> <log_format>syslog</log_format> > > >>> <location>/var/ossec/logs/active-responses.log</location> > > >>> </localfile> > > > > >>> Thanks > > >>> - Trey > > > > >> -- > > >> MVH/With regards > > > > >> Frank > > >> -- > > >> Name: Frank Stefan Sundberg Solli > > >> E-mail: frankste...@gmail.com > > >> Web: http://fssol.blogspot.com > > >> GPG: 684119F4 >