ossec centralized management

Some notes on my efforts to centrally manage ossec-clients with one ossec-server installation.

Some facts:

How does the whole agent-server configuration work?:
  1. agent monitors files, does system and root checks, etc
  2. forwards all configured inputs to the server
  3. server checks events against the rules, sends alerts/reports and tells the agent to run active responses
  4. agent runs active responses

The only thing I've found that HAS to be defined in the agent's ossec.conf file is the server IP. Everything else can be configured in the agent.conf on the server.

agent.conf is stored in /var/ossec/etc/shared/

/var/ossec/bin/agent_control -i 016

This will provide information on the client in question (ID = 016) as well as the version its running as such:

Client version:      OSSEC HIDS v2.5.1 / 00e5770b1c88ce9e9500de69e03e6c21

The md5sum of the agent.conf file should be the same at the signature above

00e5770b1c88ce9e9500de69e03e6c21  /var/ossec/etc/shared/agent.conf

More to come :)

Popular Posts