Installation Types¶
OSSEC can be installed in an agent/server combination or as a stand-alone system. The stand-alone installation is essentially a server installation without the pieces that interact with agents. The server installation includes the agent functionality for the local system.
Server¶
In an OSSEC server/agent installation, the agents pass log messages to the server for processing. Rules and decoders are installed only on the server. Alerts are generated and distributed from the server.
Agent¶
OSSEC agents tail the local log files and forward the messages to the OSSEC server. Local file integrity monitoring messages are also forwarded to the server.
Hybrid¶
A hybrid installation is both a server and agent. As a server it processes logs for a number of agents, and as an agent it forwards alerts to another server.
Local¶
A local, or stand-alone, installation resides entirely on a singular system. It is not associated with a server or agents. Decoders and rules will be stored on a local installation.