Vilius, OSSEC is designed to receive alerts from the present and not old logs. If you send to OSSEC old logs, the alert timestamp will be the timestamp when the alert was triggered (and not the timestamp when the log was generated). I was talking about a related issue here <https://groups.google.com/forum/#!topic/wazuh/eSqkmBfSSIk>.
Nick, usually it is not a good idea to make your Manager accessible from the public Internet. If your server has a security breach, anyone could access to confidential information of your agents. It could even control them if they have the active response enabled. If you are sure, follow some security hardening guide for your host and configure your firewall properly. I would not recommend to make public a OSSEC Manager. Regards. On Tuesday, September 13, 2016 at 6:47:14 PM UTC+2, Nick Giannoulis wrote: > > Didnt know you can use "ANY" , thats great thanks a lot. If my ossec > server is accessible externally any alerts from the agents should still > reach my server right ? ( if the agents are connected to the net and > nothing blocking ) > > On Tuesday, 13 September 2016 10:51:37 UTC+1, Jesus Linares wrote: >> >> Hi, >> >> as Eero said, you can register your agents with ANY instead of the IP. >> >> anyway, remember that the agents send the alerts in real time. *Alerts are >> not stored to be sent later*. So, you are not going to receive the >> alerts generated in your agents when they were not connected to the Manager >> network. >> >> Regards. >> >> On Tuesday, September 13, 2016 at 11:23:56 AM UTC+2, Eero Volotinen wrote: >>> >>> You can use ip address any while creating agent keys for roaming devices. >>> >>> Eero >>> >>> 2016-09-13 10:58 GMT+03:00 Nick Giannoulis <ni...@nea-idea.com>: >>> >>>> Hi all >>>> I have an OSSEC server running perfectly monitoring all my servers. I >>>> want to expand it to start monitoring my 'normal' clients ( win7-10 >>>> laptops >>>> and workstations ) . Some of these laptops will be outside of the network >>>> most of the time. Considering that ossec agents shouldnt have the same IP >>>> is there any work around for my situation ? i imagine at some point or >>>> another a few laptops will have the same IP while they are connected to >>>> various other networks. >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
