On Mon, Oct 13, 2014 at 10:50 AM, <de...@scratters.com> wrote: > Goodness, I'm nowhere near clued up enough to suggest how to improve things > just yet. I haven't read enough of it! > > But note that neither yours nor Jan's posts actually answer my question > (although I completely appreciate your good intentions). > > When I look at the basic information, here: > > http://ossec-docs.readthedocs.org/en/latest/manual/ossec-architecture.html > > I learn about the manager and agents, and the concept of agentless. The > description of the agent says "The agent is a small program, or collection > of programs, installed on the systems to be monitored." OK, well the system > to be monitored in my case is the one with the manager on it, so I'm > expecting to see both the manager and agent processes on my box. Is that > incorrect? >
If you choose a local installation you get some of each. Obviously you won't need remoted or agentd. In a server(manager) installation the processes that monitor log files and file integrity still run, giving the manager the same benefits that an agent receives. This is also true in a local installation. > Following Jan's prompt I've made a "local" installation.I wouldn't yet know > how to recognise an agent process on it, but at first glance there doesn't > seem to be one. That seems to imply I've got an agentless install on my > server. Is that incorrect? > I'm going to say that is incorrect. If you installed something on the system it's not agentless. You should also notice logcollectord and syscheckd which are a couple of the big processes on an agent. > I think at this stage, as a newbie, I'd appreciate a brief description of > the concept of "local installation" on that architecture page. Hard to be > sure at the moment though. :) > I'll play around with it. Thanks! > On Monday, 13 October 2014 15:34:03 UTC+1, dan (ddpbsd) wrote: >> >> On Mon, Oct 13, 2014 at 9:06 AM, <de...@scratters.com> wrote: >> > I'm exploring the use of OSSEC and I've got a question the docs I've >> > read >> > aren't yet answering. I think it's going to be quicker to just ask... >> > >> > I have a single Linux box which runs in the DMZ. It has a few services, >> > with >> > Apache and Squid being the main ones. I want to put OSSEC on it >> > primarily in >> > a log monitoring role. The thing that just won't click from reading the >> > docs >> > and presentations so far is whether a single machine scenario uses an >> > agent >> > or not. >> > >> > There appear to be these possibilities: >> > >> > * the manager and agent run together and the agent talks to its local >> > manager using "localhost" based communications; >> > * the manager sort of runs the agent's processes itself, and hence there >> > is >> > no communications between the two pieces; >> > * something else. :) >> > >> > I know the answer is in there somewhere, but I've been wading though >> > docs >> > for 3 hours now and I've probably missed it. Can someone point me at the >> > answer? >> > >> >> I think you're looking for a local installation. I have server/agent >> installations on a local machine, but that's mostly for testing >> purposes. >> If you could point out where in the documentation I could explain this >> better, I'll submit an improved version by tonight. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.