ossec centralized management
Some notes on my efforts to centrally manage ossec-clients with one ossec-server installation.
Some facts:
How does the whole agent-server configuration work?:
The only thing I've found that HAS to be defined in the agent's ossec.conf file is the server IP. Everything else can be configured in the agent.conf on the server.
agent.conf is stored in /var/ossec/etc/shared/
/var/ossec/bin/agent_control -i 016
This will provide information on the client in question (ID = 016) as well as the version its running as such:
The md5sum of the agent.conf file should be the same at the signature above
More to come :)
Some facts:
How does the whole agent-server configuration work?:
- agent monitors files, does system and root checks, etc
- forwards all configured inputs to the server
- server checks events against the rules, sends alerts/reports and tells the agent to run active responses
- agent runs active responses
The only thing I've found that HAS to be defined in the agent's ossec.conf file is the server IP. Everything else can be configured in the agent.conf on the server.
agent.conf is stored in /var/ossec/etc/shared/
/var/ossec/bin/agent_control -i 016
This will provide information on the client in question (ID = 016) as well as the version its running as such:
Client version: OSSEC HIDS v2.5.1 / 00e5770b1c88ce9e9500de69e03e6c21
The md5sum of the agent.conf file should be the same at the signature above
00e5770b1c88ce9e9500de69e03e6c21 /var/ossec/etc/shared/agent.conf
More to come :)