I wounder if it is possible to have one machine with OSSEC installed and configured, then configure agents to whatch and over another machine in the same subnet?
It certainly used to be done this way. Essentially, you would set up an OSSEC server, and then install the agent on the machines that the OSSEC server would watch. With that, you could set up reporting by hostname that would give you results based on the weight of the instance that OSSEC saw. It’s been a long time since I’ve set this up, but I used to have documentation for that. The key is to install OSSEC server on the main machine and then install the agents. The easiest way to do this is to enable the atomic repository:
wget -q -O - https://updates.atomicorp.com/installers/atomic | sh
Then install the ossec server on the machine that you want to act as the server:
dnf install ossec-hids ossec-hids-server
then install the agents on the machines you want to track (again, the easiest way is to use the atomic repository for this, so repeat that step above):
dnf install ossec-hids ossec-hids-agent
Then finally use the following link that describes how to manage the agents:
Again, it’s been awhile since I’ve done this, but I used to use this setup at my old $dayjob all the time.
I’ve been running Wazuh on all the machines at the office for ~18mo and it holds up pretty well. It’s built on a fork of OSSEC, it even installs to /var/ossec.