Please excuse me if this is not the proper place, but I was reading Josh's paper (https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837) in regard to the use of Sysmon, Windows Event Collector Framework, and OSSEC to forward logs from Windows workstations and servers to Security Onion, but I wanted to be sure about a thing or two before I began such a project.
>From the paper, I can see that the intention (for the Hybrid setup) is that Sysmon will be running on all workstations (onsite/offsite), and all workstations will be configured with Windows Event Forwarding to forward logs to a log collector (OSSEC). From here the log collector will forward information to Security Onion (sensor) --The log collector should be running the OSSEC *agent, *correct? Or is this to run the manager? I guess my impression was that the agent only collected logs locally, but from what I have read gives me the impression that the agent can be forwarded logs and forward those logs as well? Again please excuse my ignorance--if anyone could clarify or could point me towards some more information, I would greatly appreciate it. Thanks, Wes -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.