On Tue, Dec 4, 2012 at 9:31 PM, peng lin <[email protected]> wrote: > > On Tuesday, December 4, 2012 9:48:07 PM UTC+8, dan (ddpbsd) wrote: >> >> On Mon, Dec 3, 2012 at 9:37 PM, peng lin <[email protected]> wrote: >> > how to install with hybrid mode ? >> > is that use this ? to layer Deploy? >> > server >> > | >> > | >> > --- hybrid----------------hybrid-------- >> > | | | | >> > agent agent agent agent... >> > if this , >> > 1 how to config hybrid 's ossec.conf and agent's ? >> > 2 who Collect agent's alerts? hybrid or server ? >> > 3 if hybrid collect agent's alerts , how to send them to server , can >> > hybrid >> > auto Forwarding the messages? >> > 4 have some docs to introduce it ? >> > >> > >> >> You can select hybrid during the installation instead of local, agent, >> or server. The install script takes care of most of the basic >> configuration. >> >> In hybrid mode the agents send their log messages (agents NEVER deal >> with alerts) to the hybrid-server. The hybrid-server analyzes the >> messages, and forwards alerts to another server. The hybrid-server >> does not forward log messages, only alerts. > > > > > > > do you means in hybrid ossec.conf,i should add > <client> > <server-ip>real serverip</server-ip> > </client> > and in agent's ossec.conf,i add > <client> > <server-ip>hybrid ip </server-ip> > </client> in global areas to finish the config > what else should pay attention to it ? > > >
No, probably not. I guess I haven't explained hybrid mode well enough. Hybrid mode performs both a server installation and an agent installation on the same system. I believe the server install is performed in /var/ossec and the agent in /var/ossec/ossec-agent by default. install.sh walks you through this and the basic configuration when you select a hybrid install. Both installs are configured as normal. The server install's ossec.conf is at /var/ossec/etc/ossec.conf. The agent's ossec.conf is at /var/ossec/ossec-agent/ossec.conf. The settings for each installation are separate, do not mix them up, this will cause issues.
